WO2010090068A1 - Système, procédé et programme d'authentification - Google Patents

Système, procédé et programme d'authentification Download PDF

Info

Publication number
WO2010090068A1
WO2010090068A1 PCT/JP2010/050538 JP2010050538W WO2010090068A1 WO 2010090068 A1 WO2010090068 A1 WO 2010090068A1 JP 2010050538 W JP2010050538 W JP 2010050538W WO 2010090068 A1 WO2010090068 A1 WO 2010090068A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
verification
commit
authentication
authentication information
Prior art date
Application number
PCT/JP2010/050538
Other languages
English (en)
Japanese (ja)
Inventor
賢 尾花
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Publication of WO2010090068A1 publication Critical patent/WO2010090068A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to an authentication system, a setup device, a commit data generation / verification device, an authentication method, a setup device program, and a commit data generation / verification device program, and in particular, a commitment scheme that does not rely on computational assumptions for safety. It relates to the authentication system.
  • a technique called Commitment is known as a method to prevent the advancement of the protocol after determining the data of the other party after knowing the other party's data, as is the case after such a janken. ing.
  • Commitment is a protocol that consists of two phases, commit and disclosure / verification, in the presence of both sender and receiver.
  • the sender In the commit phase, the sender outputs commit data, disclosure data, and proof data based on the input data, and passes the commit data to the receiver.
  • the verifier passes disclosure data, commit data, and proof data to the receiver, and the receiver uses the passed disclosure data, commit data, and proof data as input, and verifies it.
  • the result “0” or “1” is output.
  • a verification result of 1 means that the input data and the disclosed data match, and a verification result of 0 means that the input data and the disclosed data are different. .
  • a and B execute a disclosure / verification phase, confirm the correctness of J_A and J_B, and then confirm which has won the janken.
  • the above protocol it becomes impossible for A and B to change their hands after sending the commit data, and either A or B sees the other's hand first. But you won't be able to change your hand to your advantage.
  • Non-Patent Document 1 to Non-Patent Document 4 shown below can be cited.
  • Non-Patent Document 1 describes a commitment scheme that has computational complexity and complete constraint using a pseudo-random number generator.
  • Non-Patent Document 2 describes a commitment method having complete secrecy and computational constraint using the difficulty of the discrete logarithm problem.
  • Non-Patent Document 3 it is assumed that there is a reliable third party who passes data used in the commit phase and the disclosure / verification phase, respectively, before the commit phase starts. Commitmen and methods that are both sex and fully constrained are described.
  • Non-Patent Document 4 also describes a completely confidential commitment scheme assuming the existence of a reliable third party who plays the same role as Non-Patent Document 3.
  • the method of Non-Patent Document 4 is a broadcast-type commitment method, in which n people receive one commit data at the same time, and at the time of disclosure / verification, the validity of the commit data is verified using the information each has. It is possible to verify. In addition, this method guarantees complete restraint unless k or more people collide.
  • Non-Patent Documents 3 and 4 are the commitment methods having both the property and the complete constraint.
  • Non-Patent Document 3 and Non-Patent Document 4 when many users participate in the protocol and it is not known in advance who will commit the data, each user can generate commit data, and In order to verify the commit data of other users, there is a disadvantage that data proportional to the total number of users n must be retained.
  • Non-Patent Document 3 assumes a commitment between a single sender and a single receiver, and calculates commit data for a plurality of receivers. There is a disadvantage that the bit length of the commit data increases in proportion to the number of recipients.
  • Non-Patent Document 4 in a situation where n participants commit their data as in multi-party calculation, each participant must hold an amount of data proportional to n. There is an inconvenience.
  • the object of the present invention is to reduce the amount of information that each participant must hold to the total number of users n even in a situation where it is not known in advance which n users will commit data, such as multi-party computation.
  • the object is to provide a setup device program and a commit / data generation / verification device program.
  • an authentication system of the present invention generates two or more commit data generation / verification devices that generate commit data and verify whether or not the verification target data relating to the commit data is falsified, and each of the commit data
  • a setup device for operating each of the generation / verification devices, and the setup device includes an authentication information generation unit that generates authentication data and an authenticator used for the verification of each commit data generation / verification device.
  • the commit data generation / verification device includes an authentication information storage unit that stores a part of the authentication data and the authenticator, and the authentication information generation unit sets a constant in one of the variables in the two-variable polynomial. The authentication data and the authenticator are generated based on the substituted data.
  • a setup apparatus of the present invention generates commit data and operates each of two or more commit data generation / verification apparatuses that verify whether or not the verification target data relating to the commit data is falsified.
  • a setup device comprising: an authentication information generator for generating authentication data and an authenticator used for the verification of each commit data generation / verification device, wherein the authentication information generator is one of the variables in the two-variable polynomial. The authentication data and the authenticator are generated based on data in which a constant is substituted for.
  • a commit data generation / verification apparatus is a commit data generation / verification apparatus that generates commit data and verifies whether or not the verification target data relating to the commit data is falsified.
  • a mask data storage unit that stores mask data generated to conceal the verification target data
  • an authentication information storage unit that stores authentication data used for the verification and an authenticator for the mask data
  • a verification target data storage unit for storing verification target data
  • a commit data generation unit for generating the commit data for concealing the verification target data based on the mask data
  • all other devices and the own device output Commit data storage for storing each commit data, and mask data in other devices
  • Commit data verification that verifies the non-falsification of other verification target data and outputs the verification result on the basis of the authenticator, its authenticator, a part of the authentication data in its own device, and the other commit data
  • the authentication information storage unit stores the authentication data and the authenticator generated based on data in which a constant is substituted for one of the variables in the two-variable polynomial
  • the authentication method of the present invention includes two or more commit data generation / verification devices that generate commit data and verify whether or not the verification target data relating to the commit data is falsified,
  • An authentication system comprising a setup device for operating each commit data generation / verification device, wherein the commit data generation / verification device is an authentication method for verifying the verification target data.
  • the mask data generation unit in the setup device generates mask data for concealing the verification target data, and subsequently generates authentication information for the verification and authentication information for the mask data in the setup device.
  • the setup device program of the present invention operates at least two commit data generation / verification devices that generate commit data and verify whether or not the verification target data relating to the commit data is falsified.
  • a program for a setup device capable of realizing various functions in a computer included in the setup device for generating a mask data for concealing the verification target data related to each commit data generation / verification device
  • One of the variables in the bivariate polynomial Is characterized in that the function of generating the authentication data and the authenticator and its contents based on the data obtained by substituting the constant, to achieve this in the computer.
  • the commit data generation / verification apparatus program generates commit data and verifies whether or not the verification target data relating to the commit data is falsified.
  • a commit data generation / verification apparatus program capable of realizing various functions in a computer included in the apparatus, the mask data storage function storing mask data generated to conceal the verification target data;
  • An authentication information storage function for storing authentication data used for the verification and an authenticator for the mask data, a verification target data storage function for storing the verification target data, and concealing the verification target data based on the mask data
  • Commit data generation function for generating the commit data, and others Commit data storage function for storing all commit data output by the device and the device itself, mask data and its authenticator in the other device, a part of the authentication data in the device, and the other commit
  • a commit data verification function that verifies the non-falsification of other verification target data based on the data and outputs the verification result is realized in the computer.
  • the computer is caused to execute a function of storing the authentication data
  • the authentication information generation unit Is configured to generate authentication data and an authenticator based on data obtained by assigning a constant to one of the variables in the bivariate polynomial, the data required for generating and verifying the commit data is Can be reduced to an amount proportional to k ( ⁇ n), which is the number of commit data generation / verification devices that need to be collocated to threaten the security, thereby enabling authentication such as commit data generation / verification Therefore, it is possible to reduce the amount of data necessary for authentication and increase the processing speed for authentication.
  • the commitment generation / verification system 1 generates two or more commit data generation / verification apparatuses 200 (200-1) that generate commit data and verify whether or not the verification target data relating to the commit data has been falsified. 200-n) and a setup device 100 for operating each of the commit data generation / verification devices 200 (200-1 to 200-n).
  • the number of commit data generation / verification apparatuses 200 is represented as n.
  • the device numbers are i and j.
  • the setup apparatus 100 includes an authentication information generation unit 102 that generates authentication data and an authenticator used for the verification of the commit data generation / verification apparatuses 200 (200-1 to 200-n).
  • the setup apparatus 100 outputs a mask value stored in the all commit data generation / verification apparatus 200 and authentication information including an authenticator for the mask value.
  • the authentication information generation unit 102 generates the authentication data and the authenticator based on data obtained by assigning a constant to one of the variables in the two-variable polynomial.
  • the commit data generation unit 205-1 receives the verification target data stored in the data storage unit 201-1 in the apparatus, and outputs the commit data.
  • the commit / data verification unit 206-1 outputs another commit / data output from another commit / data generation / verification device 200 (with the device number j) stored in the commit / data storage unit 204-1 in the device.
  • Data other verification target data stored in the data storage unit 201-j of the device number j, a part of the authentication information stored in the authentication information storage unit 202-j of the device number j, and the device number j
  • the other mask value (other mask data) stored in the mask value storage unit 203-j is input, and the other verification target data stored in the device number j is the commit data generated by the device number j.
  • Whether or not falsification has been made is verified from other verification target data at the time, and 1 is output when it is determined that no falsification has been made, and 0 is output when it is determined that falsification has been performed. *
  • the authentication information generation unit is configured to generate authentication data and an authenticator based on data obtained by assigning a constant to one of the variables in the two-variable polynomial.
  • the data necessary for the generation / verification of commit data is proportional to k ( ⁇ n), which is the number of commit data generation / verification devices 200 that need to be collocated in order to threaten the constraint of the commitment method. It is possible to reduce the amount of data required for authentication such as commit / data generation / verification, thereby reducing the processing speed required for authentication. It is possible to increase the speed.
  • FIG. 1 is a block diagram showing an example of the overall configuration of the commitment generation / verification system according to the first embodiment of the present invention.
  • the commitment generation / verification system 1 of this embodiment includes a setup device 100 and a plurality of commit data generation / verification devices 200 (200-1 to 200-n). Communication between the setup device 100 and each commit data generation / verification device 200 (200-1 to 200-n), between each commit data generation / verification device 200 (200-1 to 200-n), etc. It is possible to exchange data and information.
  • the setup apparatus 100 includes a mask value generation unit 101 as a mask data generation unit and an authentication information generation unit 102.
  • the mask value generation unit 101 generates and outputs n independent random numbers r_1, r_2,..., R_n for masking data held by the commit data generation / verification apparatuses 200-1 to 200-n. It has a function.
  • the authenticator a_i generated here is generated based on a method that makes it difficult to generate a valid authenticator a′_i for a value r′_i other than r_i even when less than k devices cooperate. It is characterized by being.
  • the present embodiment is characterized in that a bivariate polynomial is used to generate such an authenticator.
  • the authentication information generation unit 102 includes a two-variable polynomial generation / calculation unit 1021 for generating an authenticator.
  • This two-variable polynomial generator / arithmetic unit 1021 generates a plurality of two-variable polynomials internally, and outputs a value obtained by substituting the device number i for one variable of all the generated polynomials as e_i.
  • a variable obtained by substituting the device number i for the variable that has not been substituted for e_i for the polynomial is output as f_i.
  • the authentication information generation unit 102 has a two-variable Kth order polynomial random generation function that randomly and independently generates at least two two-variable Kth order polynomials.
  • the authentication information generation unit 102 may include a constant such as first data in which a constant, for example, a device number is substituted for one of the variables in one of the generated two-variable Kth order polynomials, and one of the variables in the other two-variable Kth order polynomials.
  • a constant such as first data in which a constant, for example, a device number is substituted for one of the variables in one of the generated two-variable Kth order polynomials, and one of the variables in the other two-variable Kth order polynomials.
  • the authentication information generation unit 102 uses a constant such as the third data in which a constant, for example, a device number is substituted for the other variable in the generated one-variable K-degree polynomial, and a constant, for example, the other variable in the other two-variable K-degree polynomial.
  • An authentication information verification key generation function for generating an authentication information verification key based on the fourth data substituted with the device number is provided.
  • the authentication information generation unit 102 has an authenticator generation function for generating an authenticator for the mask data based on the generated authentication information generation key and mask data.
  • the mask value generation unit 101 as the mask data generation unit has independent random numbers corresponding to the number of the devices for masking the verification target data held by the commit / data generation / verification devices 200, respectively. Each data is generated as mask data.
  • the authentication information generation unit 102 outputs each random number data, each authentication information verification key, and each authenticator.
  • the data storage unit 201-i is a storage device that stores data d_i (data to be verified) that is a target of commitment.
  • the data storage unit 201-i outputs data to the commit data generation unit 205 when generating commit data, Data is output to the commit data verification unit 206-j (i ⁇ j).
  • the authentication information storage unit 202-i stores the authentication information verification key f_i that is data generated by the authentication information generation unit 102 and is a part of the authentication data used for verification, and an authenticator for the mask data (random number data). Store a_i. In other words, the authentication information storage unit 202-i stores the authentication data and the authenticator generated based on data obtained by assigning a constant to one of the variables in the two-variable polynomial.
  • the mask value storage unit 203-i stores the mask data (mask information) r_i output from the mask value generation unit 101 in order to keep the verification target data confidential.
  • the commit data generation unit 205-i receives the data d_i stored in the data storage unit 201-i and the mask data r_i stored in the mask value storage unit 203-i as input, and the data stored in the data storage unit 201-i Generate and output commit data c_i for d_i. Thereby, the commit data generation unit 205-i generates the commit data c_i that conceals data (data to be verified) d_i based on the mask data r_i.
  • the commit data verification unit 206-i includes the mask data r_j in the other device 200-j and its authenticator a_j, the authentication information verification key f_i that is a part of the authentication data in the own device 200-i, and the other Based on the commit data c_j, the non-falsification of the other verification target data d_j is verified and the verification result is output.
  • the commit data verification unit 206-i is generated based on the other detection target data d_j stored in the data storage unit 201-j of the other commit data generation / verification device 200-j.
  • the other commit data c_j stored in the section 204-i, the authentication information verification key f_i stored in the authentication information storage section 202-i, and the mask value storage section 203-j of the other commit data verification section 206-j The other mask data r_j to be stored and the other authenticator a_j stored in the authentication information storage unit 202-j of the other commit data verification unit 206-j) are input, and “0” or “ 1 "is output.
  • the verification result “1” means that the input data and the disclosed data match, and the verification result “0” means that the input data and the disclosed data are different. It means that
  • the setup device 100 and the commit data generation / verification device 200 shown in FIG. 1 are realized by a semiconductor integrated circuit such as an LSI (Large Scale Inter- lation) or a DSP (Digital Signal Processor) configured by a logic circuit, for example.
  • LSI Large Scale Inter- lation
  • DSP Digital Signal Processor
  • the setup device 100 and the commit / data generation / verification device 200 input a command, information, and the like to the processing device 10 that executes predetermined processing according to a program and the processing device 10. It may be realized on software by a computer including an input device 20 for monitoring and an output device 30 for monitoring the processing result of the processing device 10.
  • the processing device 10 shown in FIG. 2 includes a CPU 11, a main storage device 12 that temporarily stores information necessary for the processing of the CPU 11, a setup device 100 described later in the CPU 11, and a commit data generation unit 205 (205-1 to 205). -N) and a recording medium 13 on which a program for executing processing as the commit data verification unit 206 (206-1 to 206-n) is recorded.
  • the processing device 10 also includes a data storage device 14 that stores data to be committed, authentication information, a mask value, and commit data, a main storage device 12, a recording medium 13, and a data storage device 14.
  • a memory control interface unit 15 that controls data transfer to and from the I / O interface unit 16 that is an interface unit between the input device 10 and the output device 30, and a communication interface (not shown). Connected configuration.
  • the data storage device 14 does not need to be in the processing device 10 and may be provided independently of the processing device 10.
  • the processing device 10 includes a setup device 100, a commit data generation unit 205 (205-1 to 205-n), and a commit data verification unit 206 (206-1 to 206-n), which will be described later, according to the program recorded on the recording medium 13.
  • the recording medium 13 may be a magnetic disk, a semiconductor memory, an optical disk, or other recording medium.
  • FIG. 3 is a flowchart showing an example of an operation processing procedure of the setup device in the commitment generation / verification system according to the embodiment of the present invention.
  • FIG. 4 is a flowchart showing an example of an operation processing procedure at the time of commit / data generation of the commit / data generation / verification apparatus.
  • FIG. 5 is a flowchart illustrating an example of an operation processing procedure at the time of commit data verification.
  • the operation processing procedure in commitment generation / verification includes two or more commit data generation / verification devices 200 that generate commit data and verify whether or not the verification target data relating to the commit data has been tampered with,
  • the authentication system includes a setup device 100 for operating each commit data generation / verification device 200, and performs authentication for verifying the verification target data.
  • the overall operation processing procedure in the commitment generation / verification according to the present embodiment is as a basic procedure: mask data for concealing the verification target data related to each commit data generation / verification device 200 is the setup device 100. Is generated by a mask value generation unit 101 as a mask data generation unit (step S1: mask data generation step shown in FIG. 3).
  • an authentication information generation unit 102 in the setup apparatus 101 generates authentication data for the verification data and the mask data used for the verification as authentication information (steps consisting of steps S2 to S4 shown in FIG. 3: authentication information) Generation step).
  • the commit data for concealing the verification target data based on the mask data is converted into the commit data generation unit 205 (205-1 to 205-n) in the commit data generation / verification apparatus 200 (200-1 to 200-n). (Step consisting of step C1 to step C3 shown in FIG. 4: commit data generation step).
  • the mask data and its authenticator that is, other mask data and other authenticator
  • the commit data verification unit 206-i in the commit data generation / verification apparatus 200-i verifies the non-falsification of the other verification target data based on the commit data of this and outputs the verification result (step shown in FIG. 5) Step consisting of R1 to R6: commit data verification step).
  • the authentication data and the authenticator are generated based on data obtained by assigning a constant to one of the variables in the two-variable polynomial.
  • the first data in which the device number is substituted into one of the variables in the generated one-variable K-degree polynomial and the other two variables when generating the authentication information, the first data in which the device number is substituted into one of the variables in the generated one-variable K-degree polynomial and the other two variables.
  • An authentication information generation key generation process is performed to generate an authentication information generation key based on the second data in which the device number is substituted into one of the variables in the Kth order polynomial.
  • the third data in which the device number is substituted for the other variable in the generated one-variable K-degree polynomial and the other two-variable An authentication information verification key generation process for generating an authentication information verification key is performed based on the fourth data in which the device number is substituted for the other variable in the Kth order polynomial.
  • an authenticator generation process for generating an authenticator for the mask data based on the generated authentication information generation key and the mask data is performed.
  • step S2 authentication information generation key generation step or function, authentication information verification key generation step or function).
  • the random number data (mask data) r_i generated in step S1 is stored in the mask value storage unit 203-i as a mask data storage unit, and the authentication information verification key f_i generated in step S2 is generated in step S3.
  • Each authentication code a_i is stored in the authentication information storage unit 202-i (step S4: mask data storage step or function, authentication information storage step or function).
  • the commit data generation / verification apparatus 200-i generates commit data from the data storage unit 201-i serving as the verification target data storage unit and the verification target data d_i from the mask value storage unit. Each is read into the unit 205-i (step C1).
  • the commit data generation unit 205-i generates commit data c_i that is a value obtained by masking the verification target data d_i with the random number data r_i.
  • the commit data c_i is generated based on a method in which the value related to the verification target data d_i can be completely concealed from the commit data c_i (step C2).
  • the commit data generation / verification device 200-i authenticates the other verification target data d_j from the data storage unit 201-j of the other commit data generation / verification device 200-j (j ⁇ i).
  • the other authenticator a_j from the information storage unit 202-j, the other random number data (other mask data) r_j from the mask value storage unit 203-j, and the authentication information verification key from the authentication information storage unit in the own device (200-i) f_i is read from the commit data storage unit 204-i and the other commit data c_j is read into the commit data verification unit 206-i, respectively (step R1).
  • step R2 other verification target data restoration step or function.
  • the commit data verification unit 206-i receives the other verification target data d_j restored in step R2, the other authenticator a_j related to the other verification target data d_j, and the authentication information verification key f_i of the own device 200-i. And verifying whether there is any contradiction among the other verification target data d_j, the other authenticator a_j, and the authentication information verification key f_i (step R3: other verification target data verification step or function).
  • the commit data verification unit 206-i outputs “1” and ends (step R4). If a contradiction is detected, “0” is output and the process ends (step R5).
  • the authentication information for the mask value output by the setup device is substituted with a known constant for one or both variables of one or a plurality of two-variable polynomials generated at random.
  • each block in the block diagram shown in FIG. 1 may have a software module configuration showing a functionalized state by a program executable by a computer.
  • the physical configuration is, for example, one or a plurality of CPUs (or one or a plurality of CPUs and one or a plurality of memories), but the software configuration by each unit (circuit / means) is exhibited by the CPU by controlling the program.
  • a plurality of functions are expressed as components by a plurality of units (means).
  • each unit (means) is configured in the CPU.
  • a static state in which the program is not executed, the entire program (or each program part included in the configuration of each unit) that realizes the configuration of each unit is stored in a storage area such as a memory.
  • Each unit (means) described above may be configured such that a computer functionalized by a program can be realized together with the function of the program, or a plurality of electronic circuits permanently functionalized by specific hardware You may comprise with the apparatus which consists of a block. Therefore, these functional blocks can be realized in various forms by hardware only, software only, or a combination thereof, and is not limited to any one.
  • each unit may be configured as a device including a dedicated computer capable of communication, and the system may be configured by each of these devices. Conversely, a system in which each unit is configured as a single device may be used.
  • the second embodiment shows a specific example of the above-described first embodiment, and will be described using the same diagram as that of the first embodiment.
  • the commitment generation / verification system 1 uses GF (p) (p: prime number or prime number width, GF: Galois field) for each verification target data d_i.
  • GF Galois field
  • a Galois field is a set of remainders obtained by dividing an integer by a prime number, and is a set in which elements are finite and four arithmetic operations are closed.
  • a Galois field having element (element) p is defined as GF (p).
  • the mask value generation unit 101 of the setup apparatus 100 generates n pieces of random number data r_1, r_2,..., R_n on GF (p) as mask data.
  • the authentication information generation unit 102 generates at least two bivariate Kth order polynomials h_0 (x, y) and h_1 (x, y) on the Galois field GF (p) randomly and independently. It has a polynomial random generation function.
  • the authentication information generation unit 102 receives the authentication information generation key e_i and the authentication information verification key f_i.
  • the authentication information generation unit 102 assigns one of the variables in one of the generated two-variable Kth order polynomials to one of the variables in the first data and the other two-variable Kth order polynomial.
  • An authentication information generation key generation function for generating an authentication information generation key e_i based on the second data substituted with a constant (for example, a device number) is provided.
  • the authentication information generation unit 102 assigns the third data obtained by assigning a constant (for example, a device number) to the other of the variables in one of the generated two-variable Kth order polynomials and the other of the variables in the other two-variable Kth order polynomials.
  • a constant for example, a device number
  • the authentication information generation unit 102 has an authenticator generation function for generating an authenticator a_i (x) for the generated mask information (mask data) r_i.
  • the setup device 100 has a function of storing the authentication information verification key f_i and the authenticator a_i (x) in the authentication information storage unit 202-i and storing mask data (random number data) r_i in the mask value storage unit 203-i. Prepare.
  • the mask value generator 101 masks the verification target data d_1 to d_n held by the commit / data generation / verification apparatuses 200 (200-1 to 200-n), respectively.
  • a function of generating n pieces of independent random number data r_1 to r_n as mask data is provided.
  • the authentication information generation unit 102 has a function of outputting the random number data r_1 to r_n, the authentication information verification keys f_1 to f_n, and the authenticators a_1 (x) to a_n (x).
  • the authentication information generation key generation function in the authentication information generation unit 102 is based on one generated two-variable Kth order polynomial h_0 (x, y) and the other two-variable Kth order polynomial h_1 (x, y).
  • the function of generating two types of h — 0 (x, i) and h — 1 (x, i) per device is provided.
  • an authentication information verification key f_i for the device number i of the own device is obtained.
  • f_i (h — 0 (i, y), h — 1 (i, y))
  • h_0 (i, y) and h_1 (i, y) per device is obtained.
  • the authenticator a_i (x) for the random number data r_i is converted into the h_0 (x, i) based on the generated authentication information generation key e_i and the random number data r_i.
  • a_i (x) e_ ⁇ i0 ⁇ (x) + r_i ⁇ e_ ⁇ i1 ⁇ (x) It has the function to generate by.
  • the commit data generation unit 205 calculates the sum of the verification target data stored in the data storage unit 201 serving as the verification target data storage unit and the random number data stored in the mask value storage unit 203 serving as a mask data storage unit. Thus, the commit data is generated and stored in the commit data storage unit 204.
  • the commit data generation unit 205-i sends the generated commit data c_i to the commit data storage unit 204 (204-1 to 204-n) of all the commit data generation / verification devices 200 (200-1 to 200-n).
  • the function to store is provided.
  • the commit data generation unit 205-1 uses the generated commit data c_1 as the commit data storage unit 204 (204-1 to 204-1) of all the commit data generation / verification apparatuses 200 (200-1 to 200-n). 204-n).
  • the commit data generation unit 205-n converts the generated commit data c_n into commit data storage units 204 (204-1 to 204) of all the commit data generation / verification apparatuses 200 (200-1 to 200-n).
  • -Store in n Therefore, commit data c_1 to c_n are stored in the commit data storage unit 204-1. Similarly, commit data c_1 to c_n are stored in the commit data storage unit 204-n.
  • the commit data verification unit 206 includes another verification target data restoration function for restoring other verification target data from other commit data and other random number data, and another verification target restored by the other verification target data restoration function. There is no contradiction between the other verification target data, other authenticators, and the authentication information verification key using the data, the other authenticators related to the other verification target data, and the authentication information verification key related to the local device. And other verification target data verification function for verifying whether or not.
  • the generated commit data c_i is stored in the commit data storage unit 204 of all the commit data generation / verification apparatuses 200.
  • the commit data verification unit 206-i receives other mask data (other random number data) r_j and other authenticator a_j (x) from the other commit data generation / verification device 200-j, and authentication information of the own device.
  • the authentication information verification key f_i is read from the storage unit 202-i and the other commit data c_j is read from the commit data storage unit 204-i of its own device, and it is checked whether or not the following equation is satisfied.
  • a_j (i) f_ ⁇ i0 ⁇ (j) + (c_j ⁇ r_j) ⁇ f_ ⁇ i1 ⁇ (j)
  • the authentication information generation unit 102 uses the degree K of the polynomial as the number of devices as k, the natural number does not exceed (3k ⁇ 2) / 2.
  • the natural number does not exceed (3k ⁇ 2) / 2.
  • the size of the data necessary for verifying the commit for example, the authentication information stored for verifying the commit is also about log (p) ⁇ (9k-6) / 2 bits. .
  • the size of the data necessary for verifying the commit is also about log (p) ⁇ (9k-6) / 2 bits. .
  • the third embodiment shows still another specific example of the first embodiment described above, and will be described with reference to the same drawing as that of the first embodiment.
  • the commitment generation / verification system in the present embodiment also adds GF (p) (p to each verification target data d_ ⁇ i1 ⁇ , d_ ⁇ i2 ⁇ , ..., d_ ⁇ im ⁇ . : Prime number or prime width, GF: Galois field).
  • the mask value generation unit 101 of the setup apparatus 100 Nxm random number data on GF (p) r_ ⁇ 11 ⁇ , r_ ⁇ 12 ⁇ , ..., r_ ⁇ 1m ⁇ , r_ ⁇ 21 ⁇ , r_ ⁇ 22 ⁇ , ..., r_ ⁇ 2m ⁇ , ... r_ ⁇ n1 ⁇ , r_ ⁇ n2 ⁇ , ..., r_ ⁇ nm ⁇ , Is generated as mask data.
  • the mask value generation unit 101 as the mask data generation unit stores m random number data r_ ⁇ i1 ⁇ , r_ ⁇ i2 ⁇ ,...
  • the mask value storage unit 203-i as the mask data storage unit for the device number i. .., R_ ⁇ im ⁇ is stored.
  • the authentication information generation unit 102 includes a bivariate K-th order polynomial h_ ⁇ 01 ⁇ (x, y), h_ ⁇ 02 ⁇ (x, y),..., H_ ⁇ on m + 1 GF (p). 0m ⁇ (x, y) and h_1 (x, y) are randomly and independently generated.
  • the authentication information generation unit 102 receives the authentication information generation key e_ ⁇ il ⁇ and the authentication information verification key f_i, respectively.
  • the authentication information generation unit 102 has an authenticator generation function for generating an authenticator a_ ⁇ il ⁇ (x) for mask information (random data that is an example of mask data) r_ ⁇ il ⁇ .
  • the setup device 100 stores the authentication information verification key f_i and the authenticator a_ ⁇ il ⁇ (x) in the authentication information storage unit 202-i and r_ ⁇ il ⁇ in the mask value storage unit 203-i.
  • the mask data generation unit 101 stores m random numbers r_ ⁇ i1 ⁇ , r_ ⁇ i2 ⁇ ,..., R_ ⁇ im ⁇ in the mask data storage unit for the device number i.
  • m + 1 bivariate Kth order polynomials h_ ⁇ 01 ⁇ (x, y), h_ ⁇ 02 ⁇ (x, y),. ⁇ 0m ⁇ (x, y), h_1 (x, y) are provided randomly and independently.
  • a function for generating m + 1 types of the generated keys per apparatus is provided.
  • the function of generating m + 1 types per apparatus is provided.
  • the other verification object data verification function in the second embodiment includes the other random number data r_ ⁇ jl ⁇ and the other authenticator a_ ⁇ jl ⁇ (x) in the device number j of the other device, and the authentication in the device number i of the own device.
  • the authentication information verification key f_i of the information storage unit and the other commit data c_ ⁇ jl ⁇ of the commit data storage unit in the device number i of the own device are read, and the device number i is substituted for x of the a_ ⁇ jl ⁇ (x).
  • a_j (i) is calculated, and f_ ⁇ iOl ⁇ (j) and f_ ⁇ i1 ⁇ (j) are calculated by substituting the device number j into the two expressions f_i, respectively.
  • a_ ⁇ jl ⁇ (i) f_ ⁇ iOl ⁇ (j) + (c_ ⁇ jl ⁇ ⁇ r_ ⁇ jl ⁇ ) ⁇ f_ ⁇ i1 ⁇ (j)
  • the authentication information generation unit 102 sets the degree K of the bivariate Kth order polynomial to a natural number not exceeding (3k ⁇ 2) / 2 when the number of devices is k, and based on this, the authentication information generation unit 102 sets the authentication.
  • a function of generating data and the authenticator is provided.
  • the generated commit data c_ ⁇ il ⁇ is stored in the commit data storage unit 204 of all the commit data generation / verification apparatuses 200.
  • a_ ⁇ jl ⁇ (i) f_ ⁇ iOl ⁇ (j) + (c_ ⁇ jl ⁇ ⁇ r_ ⁇ jl ⁇ ) ⁇ f_ ⁇ i1 ⁇ (j) If the above formula is satisfied, “1” is output, and if not, “0” is output.
  • Each of the commit data generation / verification units 206-i can calculate commitments for up to m verification target data d_ ⁇ i1 ⁇ , d_ ⁇ i2 ⁇ ,..., D_ ⁇ im ⁇ . It has the characteristics, and it is possible to remove the restriction that only the commitment for one data, which was the restriction of the second embodiment of the present invention, can be generated.
  • the number, position, shape, and the like of the above-described constituent members are not limited to the above-described embodiment, and can be set to a suitable number, position, shape, and the like in carrying out the present invention.
  • a setup apparatus operates at least two commit data generation / verification apparatuses that generate commit data and verify whether or not the verification target data relating to the commit data is falsified.
  • the setup device includes a mask data generation function for generating mask data for concealing the verification target data related to each commit data generation / verification device, and an authentication used for the verification related to each commit data generation / verification device.
  • an authentication information generation function for generating an authenticator for each of the data and the mask data.
  • the authentication information generation function includes a function of generating the authentication data and the authenticator based on data obtained by assigning a constant to one of the variables in the two-variable polynomial.
  • the commit data generation / verification apparatus generates commit data and verifies whether or not the verification target data related to the commit data is falsified.
  • the commit data generation / verification device stores a mask data storage function for storing mask data generated for concealing the verification target data, an authentication data used for the verification, and an authenticator for the mask data.
  • An authentication information storage function a verification target data storage function for storing the verification target data; a commit data generation function for generating the commit data for concealing the verification target data based on the mask data; Commit data storage function for storing all commit data output by the own device, other mask data in other devices, other authenticators, a part of the authentication data in the own device, and other commit data Commit data that verifies the non-falsification of other verification target data and outputs the verification result based on And the verification function, may comprise.
  • the authentication information storage function includes a function for storing the authentication data and the authenticator generated based on data obtained by assigning a constant to one of the variables in the two-variable polynomial.
  • key cryptography using a multivariable polynomial including a two-variable K polynomial is an encryption scheme that seeks a ground for security for an NP complete problem. Even though the quantum computer can break the RSA cipher and the elliptical cipher, it is predicted that the NP complete problem cannot be solved. Therefore, the key cipher using the multivariable polynomial functions as a quantum computer key cipher.
  • key cryptography using multivariate polynomials does not require quantum information processing such as quantum cryptography, and is an encryption method that can be used on current networks. The low introduction cost using this network can be realized. *
  • the authentication system may be configured such that each communication device and the management device are connected to each other via a communication network to exchange information between the communication devices.
  • the bit commitment protocol is implemented between the communication devices, this can be realized by installing a commit data generation / verification device in each communication device and a setup device in the management device.
  • the communication structure is not limited to the client server system, but is a system based on peer-to-peer communication in which terminals form a network without passing through a server and transmit / receive data to / from each other. There may be.
  • the steps shown in the flowchart include processes that are executed in parallel or individually even if they are not necessarily processed in time series, as well as processes that are executed in time series according to the described procedure. It is a waste.
  • the order in which the program procedures (steps) are executed may be changed.
  • the specific procedures (steps) described herein may be implemented, removed, added, or rearranged as a combined procedure (step) as needed for implementation.
  • wireless communication and wired communication as well as communication in which wireless communication and wired communication are mixed, that is, wireless communication is performed in a certain section and wired communication is performed in another section. There may be. Further, communication from one device to another device may be performed by wired communication, and communication from another device to one device may be performed by wireless communication.
  • the present invention can be used for authentication systems in general.
  • Commitment generation / verification system (authentication system) 100 Setup Device 101 Mask Value Generation Unit (Mask Data Generation Unit) 102 Authentication Information Generation Unit 1021 Bivariate Polynomial Generation / Calculation Unit 200 (200-1 to 200-n) Commit Data Generation / Verification Device 201 (201-1 to 201-n) Data Storage Unit (Verification Target Data Storage Unit) 202 (202-1 to 202-n) Authentication information storage unit (authentication information storage unit) 203 (203-1 to 203-n) Mask value storage unit (mask data storage unit) 204 (204-1 to 204-n) Commit data storage unit (commit data storage unit) 205 (205-1 to 205-n) Commit data generation unit 206 (206-1 to 206-n) Commit data verification unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention porte sur un système d'authentification qui permet à la quantité d'informations détenues par chaque participant d'être inférieure à la quantité proportionnelle au nombre total (n) d'utilisateurs. Un dispositif de configuration (100) pour activer deux dispositifs (200) de génération/vérification de données d'engagement ou davantage pour générer des données d'engagement et vérifier la présence ou l'absence d'une falsification des données devant être vérifiées portant sur les données d'engagement comporte une unité de génération d'informations d'authentification (102) pour générer des données d'authentification et des authentifiants utilisés pour la vérification. L'unité de génération des informations d'authentification (102) génère les données d'authentification et les authentifiants sur la base de données obtenue par affectation d'une constante à une variable dans un polynôme à deux variables.
PCT/JP2010/050538 2009-02-03 2010-01-19 Système, procédé et programme d'authentification WO2010090068A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009-022837 2009-02-03
JP2009022837 2009-02-03

Publications (1)

Publication Number Publication Date
WO2010090068A1 true WO2010090068A1 (fr) 2010-08-12

Family

ID=42541972

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/050538 WO2010090068A1 (fr) 2009-02-03 2010-01-19 Système, procédé et programme d'authentification

Country Status (1)

Country Link
WO (1) WO2010090068A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003143135A (ja) * 2001-10-30 2003-05-16 Toshiba Corp 署名分散システム、プログラム及び方法
JP2006197323A (ja) * 2005-01-14 2006-07-27 Nippon Telegr & Teleph Corp <Ntt> 証明携帯プログラム配信方法および証明携帯プログラム配信システム
JP2007157021A (ja) * 2005-12-08 2007-06-21 Nippon Telegr & Teleph Corp <Ntt> 耐タンパ証明携帯プログラム配信システム及びその方法
WO2008001628A1 (fr) * 2006-06-30 2008-01-03 Nec Corporation Générateur et dispositif de restauration d'information distribuée

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003143135A (ja) * 2001-10-30 2003-05-16 Toshiba Corp 署名分散システム、プログラム及び方法
JP2006197323A (ja) * 2005-01-14 2006-07-27 Nippon Telegr & Teleph Corp <Ntt> 証明携帯プログラム配信方法および証明携帯プログラム配信システム
JP2007157021A (ja) * 2005-12-08 2007-06-21 Nippon Telegr & Teleph Corp <Ntt> 耐タンパ証明携帯プログラム配信システム及びその方法
WO2008001628A1 (fr) * 2006-06-30 2008-01-03 Nec Corporation Générateur et dispositif de restauration d'information distribuée

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YASUYUKI TSUKADA: "Proof Hiding in Interactive Proof-carrying Code and Its Applications", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, VOL.46, NO.L, IPSJ JOURNAL, vol. 46, no. 1, 15 January 2005 (2005-01-15), pages 236 - 246 *

Similar Documents

Publication Publication Date Title
US10728038B2 (en) Multiple secrets in quorum based data processing
Buchmann et al. Post-quantum cryptography: state of the art
Joux Algorithmic cryptanalysis
US7773747B2 (en) Encryption apparatus, decryption apparatus, and method
Waidner et al. The dining cryptographers in the disco: Unconditional sender and recipient untraceability with computationally secure serviceability
Schröder et al. Verifiable data streaming
KR20200035280A (ko) 임계치 볼트를 생성하는 컴퓨터로 구현되는 방법
US20060083370A1 (en) RSA with personalized secret
CN110545279A (zh) 兼具隐私和监管功能的区块链交易方法、装置及系统
JP6040313B2 (ja) マルチパーティセキュア認証システム、認証サーバ、マルチパーティセキュア認証方法及びプログラム
Kuznetsov et al. New approach to the implementation of post-quantum digital signature scheme
Andreeva et al. COBRA: A parallelizable authenticated online cipher without block cipher inverse
Gao et al. Quantum election protocol based on quantum public key cryptosystem
Ramesh et al. Secure data storage in cloud: an e-stream cipher-based secure and dynamic updation policy
CN107465508B (zh) 一种软硬件结合构造真随机数的方法、系统和设备
AlTawy et al. Towards a cryptographic minimal design: The sLiSCP family of permutations
Dumas et al. Private multi-party matrix multiplication and trust computations
Sengupta et al. Publicly verifiable secure cloud storage for dynamic data using secure network coding
Aumasson Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer
Mohamed et al. Confidential algorithm for golden cryptography using haar wavelet
Faraoun Design of fast one-pass authenticated and randomized encryption schema using reversible cellular automata
Wu et al. Bit-oriented quantum public-key cryptosystem based on bell states
WO2010090068A1 (fr) Système, procédé et programme d&#39;authentification
Lin et al. F2p-abs: A fast and secure attribute-based signature for mobile platforms
Canard et al. Implementing group signature schemes with smart cards

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10738406

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10738406

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP