WO2023188218A1 - Signature control method, signature control program, information processing device, and system - Google Patents

Signature control method, signature control program, information processing device, and system Download PDF

Info

Publication number
WO2023188218A1
WO2023188218A1 PCT/JP2022/016365 JP2022016365W WO2023188218A1 WO 2023188218 A1 WO2023188218 A1 WO 2023188218A1 JP 2022016365 W JP2022016365 W JP 2022016365W WO 2023188218 A1 WO2023188218 A1 WO 2023188218A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature
key
information processing
verification
original
Prior art date
Application number
PCT/JP2022/016365
Other languages
French (fr)
Japanese (ja)
Inventor
陸大 小嶋
泰久 奥村
哲也 伊豆
和明 二村
秀暢 小栗
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to PCT/JP2022/016365 priority Critical patent/WO2023188218A1/en
Publication of WO2023188218A1 publication Critical patent/WO2023188218A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to a signature control method, a signature control program, an information processing device, and a system.
  • an electronic signature using a signature key is sometimes attached to document information.
  • the signer in order to reduce the work burden on the signer in managing the generation and revocation of the signature key, the signer outsources the management of the signature key and the assignment of electronic signatures to the data to an external server. There is a remote signature method that does this.
  • a server device performs a first encryption on a hash value of an electronic document using a first split key to generate encrypted data, and another server device performs a second encryption on the encrypted data.
  • a system that generates signature data by performing second encryption using a split key.
  • a signature key may be leaked to an attacker from an external server.
  • data that requests an external server to add a digital signature may be intercepted and tampered with by an attacker.
  • an administrator of an external server may be the attacker.
  • the present invention aims to improve the reliability of signatures.
  • the second signature key is obtained from a management device that has a combination of a first signature key and a second signature key that makes it possible to generate the same signature as the original signature key, and the second signature key is anonymized.
  • a signature control device, a signature control method, and a signature control program for transmitting the generated second signature to the first device are proposed.
  • FIG. 1 is an explanatory diagram showing an example of the signature control method according to the embodiment.
  • FIG. 2 is an explanatory diagram showing an example of the signature control system 200.
  • FIG. 3 is a block diagram showing an example of the hardware configuration of the information processing device 100.
  • FIG. 4 is an explanatory diagram showing an example of the stored contents of the key management table 310.
  • FIG. 5 is a block diagram showing an example of the hardware configuration of the key management device 201.
  • FIG. 6 is a block diagram showing an example of the hardware configuration of the signing device 202.
  • FIG. 7 is a block diagram showing an example of the hardware configuration of the verification side device 203.
  • FIG. 8 is a block diagram showing an example of the functional configuration of the signature control system 200.
  • FIG. 1 is an explanatory diagram showing an example of the signature control method according to the embodiment.
  • FIG. 2 is an explanatory diagram showing an example of the signature control system 200.
  • FIG. 3 is a block diagram showing an example of the hardware configuration of
  • FIG. 9 is an explanatory diagram showing an example of a blind signature method.
  • FIG. 10 is an explanatory diagram (part 1) showing operation example 1 of the signature control system 200.
  • FIG. 11 is an explanatory diagram (part 2) showing operation example 1 of the signature control system 200.
  • FIG. 12 is a sequence diagram (part 1) showing an example of the registration processing procedure.
  • FIG. 13 is a sequence diagram (part 2) showing an example of the registration processing procedure.
  • FIG. 14 is a sequence diagram (part 1) showing an example of the signature processing procedure.
  • FIG. 15 is a sequence diagram (part 2) showing an example of the signature processing procedure.
  • FIG. 1 is an explanatory diagram showing an example of the signature control method according to the embodiment.
  • the information processing device 100 is a computer for improving the reliability of signatures.
  • the signature is an electronic signature.
  • the signature is defined by, for example, RSA (Rivest Shamir Adleman) cryptography.
  • an electronic signature using a signature key is sometimes attached to document information.
  • the signer in order to reduce the work burden on the signer in managing the generation and revocation of the signature key, the signer outsources the management of the signature key and the assignment of electronic signatures to the data to an external server.
  • the remote signature method is defined, for example, in Reference 1 below.
  • one possible method is for the signer to upload the data itself to an external server.
  • an external server accepts the data itself, generates an electronic signature on the accepted data using a signature key, attaches the generated electronic signature to the data, and signs the data with the electronic signature attached. It will be provided to the person.
  • This method may not ensure data security. For example, there is a problem that data may be leaked to an external server. For example, data may be leaked to an attacker from an external server.
  • a possible method is for the signer to upload the hash value of the data to an external server instead of the data itself.
  • an external server accepts a hash value of data, generates an electronic signature for the accepted hash value using a signature key, attaches the generated electronic signature to the hash value, and attaches an electronic signature.
  • the hash value will be provided to the signer. With this method, it may not be possible to ensure the reliability of the electronic signature.
  • a signature key may be leaked to an attacker from an external server.
  • the hash value of data for which an external server is requested to add a digital signature may be intercepted and tampered with by an attacker, or may be intercepted by an attacker and replaced with a hash value of fraudulent data.
  • an administrator of an external server may be the attacker.
  • the signer may receive a hash value of fraudulent data that has been given an electronic signature.
  • an information processing device 100 can communicate with a management device 101, a first device 102, and a second device 103.
  • the management device 101 has an original verification key 112 corresponding to the original signature key 111 and a combination of a first signature key 121 and a second signature key 131 forming the original signature key 111. It is assumed that the signature by the original signature key 111 and the signature by the combination of the first signature key 121 and the second signature key 131 are the same signature.
  • the original verification key 112 is a key that allows the signature created by the original signature key 111 to be verified, and is a key that allows the signature created by the combination of the first signature key 121 and the second signature key 131 to be verified.
  • a first verification key 122 corresponding to the first signature key 121 exists.
  • the first verification key 122 is a key that allows the signature by the first signature key 121 to be verified.
  • the management device 101 does not need to have the first verification key 122.
  • a second verification key 132 corresponding to the second signature key 131 exists.
  • the second verification key 132 is a key that allows the signature by the second signature key 131 to be verified.
  • the management device 101 does not need to have the second verification key 132.
  • the first device 102 is capable of communicating with the management device 101, for example.
  • the first device 102 obtains the first signature key 121 from the management device 101, for example.
  • the first device 102 generates a first signature 142 using the first signature key 121 for the anonymized data 141, for example.
  • the first device 102 performs a masking process on the target data, generates masked data 141 corresponding to the target data, and uses a predetermined signature function to generate the generated masked data.
  • a first signature 142 is generated using the first signature key 121.
  • the anonymization process is, for example, a hash function.
  • the first device 102 transmits the generated first signature 142 to the information processing device 100.
  • the first device 102 may transmit the anonymized data 141 to which the first signature 142 is attached to the information processing device 100.
  • the information processing device 100 obtains the original verification key 112 and the second signature key 131 from the management device 101.
  • the information processing device 100 receives the first signature 142 based on the first signature key 121 on the anonymized data 141 from the first device 102 having the first signature key 121.
  • the information processing device 100 may receive the anonymized data 141 to which the first signature 142 is attached from the first device 102 .
  • the information processing device 100 can obtain information useful for generating a signature based on the combination of the first signature key 121 and the second signature key 131 without referring to the first signature key 121.
  • the first apparatus 102 can avoid disclosing the first signature key 121 and can conceal the first signature key 121.
  • the information processing device 100 generates a second signature 143 based on the acquired second signature key 131 for the received first signature 142.
  • the information processing apparatus 100 generates a second signature 143 based on the acquired second signature key 131 for the received first signature 142, for example, using a predetermined signature function. Thereby, the information processing device 100 can obtain a signature based on the combination of the first signature key 121 and the second signature key 131 that can be verified using the original verification key 112 without referring to the first signature key 121. .
  • the information processing device 100 transmits the generated second signature 143 to the first device 102. Thereby, the information processing device 100 can make the generated second signature 143 usable by the first device 102. For example, the information processing device 100 can make the generated second signature 143 available by associating it with the anonymized data 141 or the target data. For example, the first device 102 may transmit target data to which the second signature 143 is attached to the second device 103.
  • the information processing device 100 transmits the acquired original verification key 112 to the second device 103 that verifies the second signature 143. Thereby, the information processing device 100 can enable the second device 103 to verify the second signature 143. In this way, the information processing device 100 can generate the first signature key 121 and the second signature key 131 that can be verified using the original verification key 112 without referring to the target data itself and without referring to the first signature key 121.
  • a second signature 143 can be generated by a combination of the following. Then, the information processing device 100 can enable the first device 102 to use the second signature 143. The information processing device 100 can enable the second device 103 to verify the second signature 143.
  • the information processing device 100 can make the first signature key 121 confidential, and can improve the reliability of the second signature 143.
  • the information processing device 100 can prevent the first signature key 121 from being leaked to an attacker.
  • the information processing device 100 can make it difficult for an attacker to intercept the first signature 142 and falsify the first signature 142 or replace the first signature 142 with a fraudulent signature.
  • the information processing device 100 can make it difficult to illegally generate the first signature 142 even if the user of the device is an attacker.
  • the first device 102 is a device different from the management device 101 and can communicate with the management device 101, but the present invention is not limited to this.
  • the first device 102 may be the same device as the management device 101.
  • the first device 102 has an original verification key 112 corresponding to the original signature key 111 and a combination of the first signature key 121 and the second signature key 131 forming the original signature key 111.
  • the information processing device 100 acquires at least the original verification key 112 and the second signature key 131 from the management device 101, but the present invention is not limited to this.
  • the information processing device 100 may further acquire the first verification key 122 from the management device 101. Thereby, the information processing device 100 can verify the first signature 142, and can improve security.
  • the management device 101 may transmit the original verification key 112 to the second device 103.
  • the first device 102 may receive the original verification key 112 from the management device 101 and transmit it to the second device 103.
  • the present invention is not limited to this.
  • a plurality of computers may cooperate to realize the functions of the information processing device 100.
  • the functions of the information processing device 100 may be implemented on the cloud.
  • FIG. 2 is an explanatory diagram showing an example of the signature control system 200.
  • the signature control system 200 includes an information processing device 100, one or more key management devices 201, one or more signing devices 202, and one or more verification devices 203.
  • the information processing device 100 and the key management device 201 are connected via a wired or wireless network 210.
  • the network 210 is, for example, a LAN (Local Area Network), a WAN (Wide Area Network), the Internet, or the like.
  • the information processing device 100 and the signature side device 202 are connected via a wired or wireless network 210.
  • the information processing device 100 and the verification device 203 are connected via a wired or wireless network 210.
  • a key management device 201 and a signing device 202 are connected via a wired or wireless network 210.
  • a signing device 202 and a verifying device 203 are connected via a wired or wireless network 210.
  • the key management device 201 is a computer that manages signature keys.
  • the key management device 201 is used, for example, by a signer.
  • the key management device 201 generates an original key pair.
  • An original key pair is a combination of an original signing key and an original verification key.
  • the original signature key corresponds to the original signature key 111 shown in FIG.
  • the original verification key corresponds to the original verification key 112 shown in FIG.
  • the key management device 201 generates a protection key pair.
  • a protection key pair is a combination of a protection signature key and a protection verification key.
  • the protected signature key corresponds to the first signature key 121 shown in FIG.
  • the protection verification key corresponds to the first verification key 122 shown in FIG.
  • the key management device 201 generates a escrow signature key.
  • the escrow signature key corresponds to the second signature key 131 shown in FIG.
  • the key management device 201 generates an escrow signature key so that an original signature key can be formed by combining the protected signature key and the escrow signature key.
  • the key management device 201 provides at least the protected signature key to the signing device 202.
  • the key management device 201 provides at least the entrusted signature key to the information processing device 100.
  • the key management device 201 may further provide the information processing device 100 with a protection verification key.
  • the key management device 201 may provide the protection verification key to the information processing device 100 via the signing device 202.
  • the key management device 201 may further provide the original verification key to the information processing device 100.
  • the key management device 201 is, for example, a server or a PC (Personal Computer).
  • the signing device 202 is a computer that generates a protected signature using a protected signature key.
  • the protection signature corresponds to the first signature shown in FIG.
  • Signing side device 202 is used, for example, by a signer.
  • the signing device 202 receives the protected signature key from the key management device 201.
  • the signature side device 202 has anonymized data obtained by performing an anonymization process on the target data.
  • the signature side device 202 performs an anonymization process on the target data to generate anonymization data.
  • the signature side device 202 may receive anonymized data obtained by performing an anonymization process on the target data from another computer.
  • Signing side device 202 generates a protection signature for anonymized data using a protection signature key.
  • the signing device 202 transmits the generated protected signature to the information processing device 100.
  • the signing device 202 may transmit the anonymized data to which the generated protection signature has been added to the information processing device 100.
  • the signing device 202 receives the entrusted signature based on the entrusted signature key for the protected signature from the information processing device 100 .
  • Signing side device 202 transmits the escrow signature based on the escrow signature key for the protected signature to verification side device 203 .
  • the signing device 202 transmits the target data to which the deposited signature has been attached to the verification device 203.
  • the signature side device 202 is, for example, a PC, a tablet terminal, or a smartphone.
  • the information processing device 100 is a computer that generates a deposited signature using a deposited signature key.
  • the escrow signature corresponds to the second signature shown in FIG.
  • the information processing device 100 is used, for example, by a system administrator of the signature control system 200.
  • the information processing device 100 receives the entrusted signature key from the key management device 201.
  • the information processing device 100 may receive the protection verification key from the key management device 201.
  • the information processing device 100 may receive the original verification key from the key management device 201.
  • the information processing device 100 receives the protection signature from the signing device 202.
  • the information processing device 100 may receive anonymized data to which a protection signature is attached from the signing device 202.
  • the information processing device 100 may verify whether the protection signature is valid based on the protection verification key. If the protected signature is not valid, the information processing device 100 discards the protected signature. The information processing apparatus 100 generates a escrow signature using the escrow signature key for the protected signature. The information processing device 100 transmits the generated entrusted signature to the signing device 202. The information processing device 100 transmits the original verification key to the verification side device 203.
  • the information processing device 100 is, for example, a server or a PC.
  • the verifying device 203 receives the escrow signature from the signing device 202.
  • the verification side device 203 is used, for example, by a verifier.
  • the verification side device 203 receives target data to which a deposited signature has been attached from the signature side device 202. Verification side device 203 obtains the original verification key. The verification device 203 receives, for example, the original verification key from the information processing device 100. The verification device 203 verifies whether the deposited signature is valid based on the original verification key. The verification side device 203 discards the target data if the deposited signature is not valid.
  • the verification device 203 is, for example, a PC, a tablet terminal, or a smartphone.
  • the key management device 201 provides the original verification key to the information processing device 100 so that the verification side device 203 can obtain the original verification key, but the present invention is not limited to this.
  • the key management device 201 may provide the original verification key to the verification device 203 via the signing device 202.
  • the key management device 201 may directly provide the original verification key to the verification device 203.
  • the key management device 201 is a device different from the signing device 202, but the present invention is not limited to this.
  • the signing device 202 may have a function as the key management device 201 and can also operate as the key management device 201.
  • the signing device 202 has the function of the verifying device 203 and can also operate as the verifying device 203.
  • FIG. 3 is a block diagram showing an example of the hardware configuration of the information processing device 100.
  • the information processing apparatus 100 includes a CPU (Central Processing Unit) 301, a memory 302, a network I/F (Interface) 303, a recording medium I/F 304, and a recording medium 305. Further, each component is connected to each other by a bus 300.
  • the CPU 301 controls the entire information processing device 100.
  • the memory 302 includes, for example, a ROM (Read Only Memory), a RAM (Random Access Memory), a flash ROM, and the like. Specifically, for example, a flash ROM or ROM stores various programs, and a RAM is used as a work area for the CPU 301.
  • the program stored in the memory 302 is loaded into the CPU 301 and causes the CPU 301 to execute the coded processing.
  • the memory 302 stores, for example, a protection verification key, an escrow signature key, and an original verification key in association with each other for each signing device 202.
  • the protection verification key is, for example, a protection verification key corresponding to the protection signature key provided to the signing device 202.
  • the escrow signature key is, for example, an escrow signature key that is combined with a protected signature key provided to the signing device 202.
  • the original signature key is, for example, an original verification key that corresponds to an original signature key that makes it possible to generate a signature identical to the combination of the protected signature key and the escrow signature key.
  • the memory 302 stores a key management table 310, which will be described later in FIG.
  • the network I/F 303 is connected to a network 210 through a communication line, and is connected to other computers via the network 210.
  • the network I/F 303 serves as an internal interface with the network 210, and controls data input/output from other computers.
  • the network I/F 303 is, for example, a modem or a LAN adapter.
  • the recording medium I/F 304 controls reading/writing of data to/from the recording medium 305 under the control of the CPU 301.
  • the recording medium I/F 304 is, for example, a disk drive, an SSD (Solid State Drive), a USB (Universal Serial Bus) port, or the like.
  • the recording medium 305 is a nonvolatile memory that stores data written under the control of the recording medium I/F 304.
  • the recording medium 305 is, for example, a disk, a semiconductor memory, a USB memory, or the like.
  • the recording medium 305 may be removable from the information processing apparatus 100.
  • the information processing device 100 may include, for example, a keyboard, a mouse, a display, a printer, a scanner, a microphone, a speaker, and the like. Further, the information processing apparatus 100 may include a plurality of recording medium I/Fs 304 and recording media 305. Further, the information processing apparatus 100 does not need to have the recording medium I/F 304 or the recording medium 305.
  • the key management table 310 is realized, for example, by a storage area such as the memory 302 or the recording medium 305 of the information processing apparatus 100 shown in FIG. 3.
  • FIG. 4 is an explanatory diagram showing an example of the stored contents of the key management table 310.
  • the key management table 310 has fields of plug-in ID, protection verification key, escrow signature key, and original verification key.
  • key management information is stored as a record 400-a by setting information in each field for each signing device 202. a is any integer.
  • a plug-in ID which is identification information for identifying the browser plug-in possessed by the signing device 202, is set in the plug-in ID field.
  • a protection verification key is set in the protection verification key field.
  • a protection verification key corresponding to the protection signature key provided to the signing device 202 is set in the protection verification key field.
  • the protection verification key is provided, for example, from the key management device 201.
  • the escrow signature key is set in the escrow signature key field.
  • a escrow signature key to be combined with the protected signature key provided to the signing device 202 is set.
  • the escrow signature key is provided, for example, from the key management device 201.
  • the original verification key is set in the original verification key field.
  • an original verification key that enables generation of the same signature as the combination of the protected signature key provided to the signing device 202 and the escrow signature key is set.
  • the original verification key is provided, for example, from the key management device 201.
  • FIG. 5 is a block diagram showing an example of the hardware configuration of the key management device 201.
  • the key management device 201 includes a CPU 501, a memory 502, a network I/F 503, a recording medium I/F 504, and a recording medium 505. Further, each component is connected to each other by a bus 500.
  • the example hardware configuration of the key management device 201 is specifically the same as the example hardware configuration of the information processing device 100, but the storage contents of the memory 502 are different from the storage contents of the memory 302.
  • the memory 502 stores, for example, a protection key pair, an entrusted key pair, and an original key pair generated by the signing device 202 in association with each other.
  • the memory 502 does not need to store the escrow verification key among the escrow key pair.
  • the memory 502 may discard the original signature key from the original key pair.
  • FIG. 6 is a block diagram showing an example of the hardware configuration of the signing device 202.
  • the signature side device 202 includes a CPU 601, a memory 602, a network I/F 603, a recording medium I/F 604, a recording medium 605, a display 606, and an input device 607. Further, each component is connected to each other by a bus 600.
  • Memory 602 includes, for example, ROM, RAM, flash ROM, and the like. Specifically, for example, a flash ROM or ROM stores various programs, and a RAM is used as a work area for the CPU 601. The program stored in the memory 602 is loaded into the CPU 601 and causes the CPU 601 to execute the coded processing.
  • the memory 602 stores, for example, a protection key pair provided to the device itself. For example, the memory 602 does not need to store the protection verification key among the protection key pair.
  • the network I/F 603 is connected to a network 210 through a communication line, and is connected to other computers via the network 210.
  • the network I/F 603 serves as an internal interface with the network 210, and controls data input/output from other computers.
  • the network I/F 603 is, for example, a modem or a LAN adapter.
  • the recording medium I/F 604 controls data read/write to the recording medium 605 under the control of the CPU 601.
  • the recording medium I/F 604 is, for example, a disk drive, SSD, or USB port.
  • the recording medium 605 is a nonvolatile memory that stores data written under the control of the recording medium I/F 604.
  • the recording medium 605 is, for example, a disk, a semiconductor memory, a USB memory, or the like.
  • the recording medium 605 may be removable from the signing device 202.
  • the display 606 displays data such as a cursor, icons, or toolboxes, as well as documents, images, and functional information.
  • the display 606 is, for example, a CRT (Cathode Ray Tube), a liquid crystal display, an organic EL (Electroluminescence) display, or the like.
  • the input device 607 has keys for inputting characters, numbers, various instructions, etc., and inputs data.
  • the input device 607 may be a keyboard, a mouse, or the like, or may be a touch panel type input pad, a numeric keypad, or the like.
  • the signature side device 202 may include, for example, a printer, a scanner, a microphone, a speaker, and the like. Further, the signature side device 202 may have a plurality of recording medium I/Fs 604 and recording media 605. Further, the signature side device 202 does not need to have the recording medium I/F 604 or the recording medium 605.
  • FIG. 7 is a block diagram showing an example of the hardware configuration of the verification side device 203.
  • the verification side device 203 includes a CPU 701, a memory 702, a network I/F 703, a recording medium I/F 704, a recording medium 705, a display 706, and an input device 707. Further, each component is connected to each other by a bus 700.
  • the hardware configuration example of the verification side device 203 is similar to the hardware configuration example of the signature side device 202, but the storage contents of the memory 702 are different from the storage contents of the memory 602.
  • the memory 702 stores, for example, the original verification key provided to the device itself.
  • Memory 702 includes, for example, ROM, RAM, flash ROM, and the like. Specifically, for example, a flash ROM or ROM stores various programs, and a RAM is used as a work area for the CPU 701. The program stored in the memory 702 is loaded into the CPU 701 and causes the CPU 701 to execute the coded processing.
  • the network I/F 703 is connected to a network 210 through a communication line, and is connected to other computers via the network 210.
  • the network I/F 703 serves as an internal interface with the network 210, and controls data input/output from other computers.
  • the network I/F 703 is, for example, a modem or a LAN adapter.
  • the recording medium I/F 704 controls data read/write to the recording medium 705 under the control of the CPU 701.
  • the recording medium I/F 704 is, for example, a disk drive, an SSD, a USB port, or the like.
  • the recording medium 705 is a nonvolatile memory that stores data written under the control of the recording medium I/F 704.
  • the recording medium 705 is, for example, a disk, a semiconductor memory, a USB memory, or the like.
  • the recording medium 705 may be removable from the verification device 203.
  • the display 706 displays data such as a cursor, icons, or toolboxes, as well as documents, images, and functional information.
  • the display 706 is, for example, a CRT (Cathode Ray Tube), a liquid crystal display, an organic EL (Electroluminescence) display, or the like.
  • the input device 707 has keys for inputting characters, numbers, various instructions, etc., and inputs data.
  • the input device 707 may be a keyboard, a mouse, or the like, or may be a touch panel type input pad, a numeric keypad, or the like.
  • the verification-side device 203 may include, for example, a printer, a scanner, a microphone, a speaker, and the like. Further, the verification side device 203 may have a plurality of recording medium I/Fs 704 and recording media 705. Further, the verification side device 203 does not need to have the recording medium I/F 704 or the recording medium 705.
  • FIG. 8 is a block diagram showing an example of the functional configuration of the signature control system 200.
  • the signature control system 200 is a system including, for example, a management device 801, a first device 802, an information processing device 100, and a second device 803.
  • the management device 801 is, for example, the key management device 201 shown in FIG. 2. In the following description, it is assumed that the management device 801 is the "key management device 201.”
  • the first device 802 is, for example, the signing device 202 shown in FIG. 2. In the following description, it is assumed that the first device 802 is the "signing device 202.”
  • the second device 803 is, for example, the verification device 203 shown in FIG. 2. In the following description, it is assumed that the second device 803 is the "verification side device 203.”
  • the management device 801 may be the same device as the first device 802.
  • the key management device 201 includes a first storage unit 810, a first acquisition unit 811, a first generation unit 812, and a first output unit 813.
  • the first storage unit 810 is realized, for example, by a storage area such as the memory 502 or the recording medium 505 shown in FIG. Although a case will be described below in which the first storage unit 810 is included in the key management device 201, the present invention is not limited to this.
  • the first storage unit 810 may be included in a device different from the key management device 201, and the stored contents of the first storage unit 810 may be referenced by the key management device 201.
  • the first acquisition unit 811 to first output unit 813 function as an example of a control unit of the key management device 201.
  • the first acquisition unit 811 to the first output unit 813 for example, cause the CPU 501 to execute a program stored in a storage area such as the memory 502 or the recording medium 505 shown in FIG.
  • the network I/F 503 realizes this function.
  • the processing results of each functional unit are stored in a storage area such as the memory 502 or the recording medium 505 shown in FIG. 5, for example.
  • the first storage unit 810 stores various information that is referenced or updated in the processing of each functional unit.
  • the first storage unit 810 stores a signature key or a verification key to be provided to a predetermined signing device 202.
  • the signature key is realized by, for example, a private key.
  • the verification key is realized by, for example, a public key.
  • the first storage unit 810 stores, for example, an original signature key to be provided to a predetermined signing device 202.
  • the original signature key corresponds to, for example, the original signature key.
  • the original signature key is generated by the first generation unit 812, for example.
  • the first storage unit 810 stores, for example, an original verification key corresponding to an original signature key provided to a predetermined signing device 202.
  • the original verification key can verify the signature by the original signature key.
  • the original verification key corresponds to, for example, the original verification key.
  • the original verification key is generated by the first generation unit 812, for example.
  • the first storage unit 810 stores, for example, a first signature key to be provided to a predetermined signing device 202.
  • the first signature key corresponds to, for example, a protected signature key.
  • the first signature key is generated by the first generation unit 812, for example.
  • the first signature key enables generation of the first signature.
  • the first storage unit 810 stores, for example, a first verification key corresponding to a first signature key provided to a predetermined signing device 202.
  • the first verification key is capable of verifying the signature by the first signature key.
  • the first verification key corresponds to, for example, a protection verification key.
  • the first verification key is generated by the first generation unit 812, for example.
  • the first storage unit 810 stores, for example, a second signature key to be provided to a predetermined signing device 202.
  • the second signature key corresponds to, for example, the escrow signature key.
  • the second signature key is generated by the first generation unit 812, for example.
  • the second signature key allows a second signature to be generated.
  • the first storage unit 810 stores, for example, a second verification key corresponding to a second signature key provided to a predetermined signing device 202.
  • the second verification key is capable of verifying the signature by the second signature key.
  • the second verification key corresponds to, for example, the escrow verification key.
  • the second verification key is generated by the first generation unit 812, for example.
  • the first acquisition unit 811 acquires various information used in the processing of each functional unit.
  • the first acquisition unit 811 stores the acquired various information in the first storage unit 810 or outputs it to each functional unit. Further, the first acquisition unit 811 may output various information stored in the first storage unit 810 to each functional unit.
  • the first acquisition unit 811 acquires various information based on, for example, a user's operation input.
  • the first acquisition unit 811 may receive various information from a device different from the key management device 201, for example.
  • the first acquisition unit 811 acquires, for example, a key generation request regarding a predetermined signing device 202.
  • the key generation request may include identification information of a predetermined signing device 202, for example.
  • the first acquisition unit 811 receives an input of a key generation request based on a user's operation input.
  • the first acquisition unit 811 may receive a key generation request from a predetermined signing device 202.
  • the first acquisition unit 811 may receive a start trigger to start processing of any functional unit.
  • the start trigger is, for example, a predetermined operation input by the user.
  • the start trigger may be, for example, receiving predetermined information from another computer.
  • the start trigger may be, for example, that any functional unit outputs predetermined information.
  • the first acquisition unit 811 receives the acquisition of the key generation request as a start trigger for starting the processing of the first generation unit 812.
  • the first generation unit 812 generates a signature key and a verification key in response to a key generation request.
  • the first generation unit 812 generates at least an original verification key, a first signature key, and a second signature key.
  • the first generation unit 812 may generate the original signature key.
  • the first generation unit 812 may generate the first verification key.
  • the first generation unit 812 may generate the second verification key.
  • the first generation unit 812 generates, for example, a combination of an original signature key and an original verification key.
  • the first generation unit 812 generates, for example, a combination of a first signature key and a first verification key.
  • the first generation unit 812 generates the second signature key such that, for example, the combination of the first signature key and the second signature key can generate the same signature as the original signature key.
  • the first generation unit 812 can generate a signature that is verifiable with the original verification key and is the same as the signature using the original signature key, while keeping the original signature key secret.
  • the first output unit 813 outputs the processing result of at least one of the functional units.
  • the output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 503, or storing in a storage area such as memory 502 or recording medium 505. Thereby, the first output unit 813 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the key management device 201.
  • the first output unit 813 transmits the first signature key to the signing device 202.
  • the first output unit 813 transmits the second signature key to the information processing device 100.
  • the first output unit 813 may transmit the first verification key to the information processing device 100.
  • the first output unit 813 provides the original verification key to the verification side device 203.
  • the first output unit 813 transmits, for example, the original verification key to the signature device 202 or the information processing device 100 so that the verification device 203 can obtain it.
  • the signature side device 202 includes a second storage section 820, a second acquisition section 821, a second anonymization section 822, a second signature generation section 823, and a second output section 824.
  • the second storage unit 820 is realized, for example, by a storage area such as the memory 602 or the recording medium 605 shown in FIG. 6.
  • a case will be described in which the second storage unit 820 is included in the signing device 202, but the present invention is not limited to this.
  • the second storage unit 820 is included in a device different from the signing device 202, and the storage contents of the second storage unit 820 can be referenced from the signing device 202.
  • the second acquisition unit 821 to second output unit 824 function as an example of a control unit of the signing device 202.
  • the second acquisition unit 821 to the second output unit 824 for example, cause the CPU 601 to execute a program stored in a storage area such as the memory 602 or the recording medium 605 shown in FIG.
  • the network I/F 603 realizes this function.
  • the processing results of each functional unit are stored in a storage area such as the memory 602 or the recording medium 605 shown in FIG. 6, for example.
  • the second storage unit 820 stores various information that is referenced or updated in the processing of each functional unit.
  • the second storage unit 820 stores the first signature key.
  • the first signature key is acquired by the second acquisition unit 821, for example.
  • the second acquisition unit 821 acquires various information used in the processing of each functional unit.
  • the second acquisition unit 821 stores the acquired various information in the second storage unit 820 or outputs it to each functional unit. Further, the second acquisition unit 821 may output various information stored in the second storage unit 820 to each functional unit.
  • the second acquisition unit 821 acquires various information based on, for example, a user's operation input.
  • the second acquisition unit 821 may receive various information from a device different from the signing device 202, for example.
  • the second acquisition unit 821 acquires, for example, the first signature key. Specifically, the second acquisition unit 821 receives the first signature key from the key management device 201.
  • the second acquisition unit 821 acquires target data, for example.
  • the target data is, for example, data sent to the verification device 203.
  • the target data can be anonymized and become anonymized data.
  • a signature is added to the target data.
  • the second acquisition unit 821 receives input of target data based on a user's operation input.
  • the second acquisition unit 821 may receive target data from another computer.
  • the second acquisition unit 821 acquires, for example, anonymized data.
  • the second acquisition unit 821 acquires anonymized data without acquiring target data.
  • the second acquisition unit 821 receives input of anonymized data based on a user's operation input.
  • the second acquisition unit 821 may receive anonymized data from another computer.
  • the second acquisition unit 821 acquires, for example, a second signature based on the second signature key for a first signature based on the first signature key. Specifically, the second acquisition unit 821 receives the second signature from the information processing device 100. Specifically, the second acquisition unit 821 receives the second signature from the information processing device 100 in response to transmitting the first signature to the information processing device 100 .
  • the second acquisition unit 821 may receive a start trigger that starts processing of any of the functional units.
  • the start trigger is, for example, a predetermined operation input by the user.
  • the start trigger may be, for example, receiving predetermined information from another computer.
  • the start trigger may be, for example, that any functional unit outputs predetermined information.
  • the second acquisition unit 821 receives, for example, the acquisition of the target data as a start trigger for starting the process of the second anonymization unit 822.
  • the second acquisition unit 821 receives, for example, the acquisition of anonymized data as a start trigger for starting the processing of the second signature generation unit 823.
  • the second anonymization unit 822 performs an anonymization process on the target data and generates anonymization data.
  • the anonymization process is, for example, a hash value calculation process.
  • the second anonymization unit 822 generates a hash value of the target data as anonymization data. Thereby, the second anonymization unit 822 can generate a signature to be added to the target data while preventing leakage of the target data.
  • the second signature generation unit 823 generates a first signature using the first signature key for the anonymized data.
  • the second signature generation unit 823 generates a first signature by inputting the anonymized data and the first signature key into the signature function. Thereby, the second signature generation unit 823 can acquire one element that enables generation of the same signature as the signature using the original signature key.
  • the second output unit 824 outputs the processing result of at least one of the functional units.
  • the output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 603, or storing in a storage area such as memory 602 or recording medium 605. Thereby, the second output unit 824 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the signature side device 202.
  • the second output unit 824 transmits the first signature to the information processing device 100, for example. Specifically, the second output unit 824 transmits the anonymized data to which the first signature is attached to the information processing device 100. Thereby, the second output unit 824 can enable the information processing apparatus 100 to generate the second signature.
  • the second output unit 824 transmits the second signature to the verification side device 203, for example. Specifically, the second output unit 824 transmits the target data to which the second signature has been added to the verification side device 203. Thereby, the second output unit 824 can make the target data verifiable by the verification device 203 based on the second signature.
  • the information processing device 100 includes a third storage unit 830, a third acquisition unit 831, a third verification unit 832, a third signature generation unit 833, and a third output unit 834.
  • the third storage unit 830 is realized, for example, by a storage area such as the memory 302 or the recording medium 305 shown in FIG. 3. Although a case will be described below in which the third storage unit 830 is included in the information processing device 100, the present invention is not limited to this. For example, there may be a case in which the third storage unit 830 is included in a device different from the information processing device 100, and the storage contents of the third storage unit 830 can be referenced from the information processing device 100.
  • the third acquisition unit 831 to third output unit 834 function as an example of a control unit. Specifically, the third acquisition unit 831 to the third output unit 834, for example, cause the CPU 301 to execute a program stored in a storage area such as the memory 302 or the recording medium 305 shown in FIG.
  • the network I/F 303 realizes this function.
  • the processing results of each functional unit are stored in a storage area such as the memory 302 or the recording medium 305 shown in FIG. 3, for example.
  • the third storage unit 830 stores various information that is referenced or updated in the processing of each functional unit.
  • the third storage unit 830 stores, for example, the second signature key.
  • the second signature key is acquired by the third acquisition unit 831, for example.
  • the third storage unit 830 may store the first verification key, for example.
  • the first verification key is acquired by the third acquisition unit 831, for example.
  • the third storage unit 830 may store the original verification key, for example.
  • the original verification key is acquired by the third acquisition unit 831, for example.
  • the third acquisition unit 831 acquires various information used in the processing of each functional unit.
  • the third acquisition unit 831 stores the acquired various information in the third storage unit 830 or outputs it to each functional unit. Further, the third acquisition unit 831 may output various information stored in the third storage unit 830 to each functional unit.
  • the third acquisition unit 831 acquires various information based on, for example, a user's operation input.
  • the third acquisition unit 831 may receive various information from a device different from the information processing device 100, for example.
  • the third acquisition unit 831 acquires, for example, the second signature key. Specifically, the third acquisition unit 831 receives the second signature key from the key management device 201. The third acquisition unit 831 may acquire the first verification key, for example. Specifically, the third acquisition unit 831 receives the first verification key from the key management device 201. The third acquisition unit 831 may acquire the original verification key, for example. Specifically, the third acquisition unit 831 receives the original verification key from the key management device 201.
  • the third acquisition unit 831 acquires, for example, the first signature. Specifically, the third acquisition unit 831 receives the first signature from the signing device 202. Specifically, the third acquisition unit 831 may receive the anonymized data to which the first signature is attached from the signing device 202. The third acquisition unit 831 acquires, for example, the original verification key. Specifically, the third acquisition unit 831 receives the original verification key from the key management device 201.
  • the third acquisition unit 831 may receive a start trigger that starts processing of any of the functional units.
  • the start trigger is, for example, a predetermined operation input by the user.
  • the start trigger may be, for example, receiving predetermined information from another computer.
  • the start trigger may be, for example, that any functional unit outputs predetermined information.
  • the third acquisition unit 831 receives the acquisition of the first signature as a start trigger for starting the processing of the third verification unit 832 and the third signature generation unit 833.
  • the third verification unit 832 uses the acquired first verification key to determine the validity of the received first signature.
  • the third verification unit 832 verifies the validity of the first signature, for example, based on the anonymized data and using the first verification key. Thereby, the third verification unit 832 can determine whether or not the second signature may be generated. If the first signature is not valid, the third verification unit 832 can determine that there is no need to generate the second signature and discard the first signature.
  • the third verification unit 832 may determine whether the second signature may be transmitted.
  • the third verification unit 832 can discard the second signature generated by the third signature generation unit 833 if the first signature is not valid.
  • the third signature generation unit 833 generates a second signature for the received first signature using the acquired second signature key.
  • the third signature generation unit 833 generates the second signature by inputting the first signature and the second signature key into the signature function, for example. Thereby, the third signature generation unit 833 can generate a second signature that is the same signature as the signature using the original signature key. Therefore, the third signature generation unit 833 can guarantee the authenticity of the anonymized data.
  • the third output unit 834 outputs the processing result of at least one of the functional units.
  • the output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 303, or storing in a storage area such as memory 302 or recording medium 305. Thereby, the third output unit 834 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the information processing apparatus 100.
  • the third output unit 834 transmits the generated second signature to the signing device 202. Thereby, the third output unit 834 can enable the signature side device 202 to guarantee the authenticity of the anonymized data.
  • the third output unit 834 may transmit the acquired original verification key to the verification side device 203. Thereby, the third output unit 834 can make the second signature verifiable by the verification device 203.
  • the verification device 203 includes a fourth storage section 840, a fourth acquisition section 841, a fourth verification section 842, and a fourth output section 843.
  • the fourth storage unit 840 is realized, for example, by a storage area such as the memory 702 or the recording medium 705 shown in FIG. 7.
  • a storage area such as the memory 702 or the recording medium 705 shown in FIG. 7.
  • the present invention is not limited to this.
  • the fourth storage unit 840 is included in a device different from the verification device 203, and the storage contents of the fourth storage device 840 can be referenced from the verification device 203.
  • the fourth acquisition unit 841 to fourth output unit 843 function as an example of a control unit. Specifically, the fourth acquisition unit 841 to the fourth output unit 843, for example, cause the CPU 701 to execute a program stored in a storage area such as the memory 702 or the recording medium 705 shown in FIG.
  • the network I/F 703 realizes this function.
  • the processing results of each functional unit are stored in a storage area such as the memory 702 or the recording medium 705 shown in FIG. 7, for example.
  • the fourth storage unit 840 stores various information that is referenced or updated in the processing of each functional unit.
  • the fourth storage unit 840 stores, for example, the original verification key.
  • the original verification key is acquired by the fourth acquisition unit 841.
  • the fourth acquisition unit 841 acquires various information used in the processing of each functional unit.
  • the fourth acquisition unit 841 stores the acquired various information in the fourth storage unit 840 or outputs it to each functional unit. Further, the fourth acquisition unit 841 may output various information stored in the fourth storage unit 840 to each functional unit.
  • the fourth acquisition unit 841 acquires various information based on, for example, a user's operation input.
  • the fourth acquisition unit 841 may receive various information from a device different from the verification device 203, for example.
  • the fourth acquisition unit 841 acquires, for example, the second signature. Specifically, the fourth acquisition unit 841 receives the second signature from the signing device 202. More specifically, the fourth acquisition unit 841 receives the target data to which the second signature is attached from the signing device 202.
  • the fourth acquisition unit 841 acquires, for example, the original verification key.
  • the fourth acquisition unit 841 may acquire the original verification key, for example, in response to acquiring the second signature.
  • the fourth acquisition unit 841 receives the original verification key from the key management device 201.
  • the fourth acquisition unit 841 may receive the original verification key from the information processing device 100.
  • the fourth acquisition unit 841 may receive the original verification key from the signing device 202.
  • the fourth acquisition unit 841 may receive a start trigger to start processing of any functional unit.
  • the start trigger is, for example, a predetermined operation input by the user.
  • the start trigger may be, for example, receiving predetermined information from another computer.
  • the start trigger may be, for example, that any functional unit outputs predetermined information.
  • the fourth acquisition unit 841 receives, for example, the acquisition of the second signature and the original verification key as a start trigger for starting the process of the fourth verification unit 842.
  • the fourth verification unit 842 verifies the validity of the second signature.
  • the fourth verification unit 842 verifies the validity of the second signature, for example, based on the target data and using the original verification key. Thereby, the fourth verification unit 842 can verify the authenticity of the target data based on the validity of the second signature. If the second signature is not valid, the fourth verification unit 842 can determine that the target data is not authentic and discard the target data.
  • the fourth output unit 843 outputs the processing result of at least one of the functional units.
  • the output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 703, or storing in a storage area such as memory 702 or recording medium 705. Thereby, the fourth output unit 843 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the verification-side device 203.
  • the fourth output unit 843 outputs the result of verifying the validity of the second signature so that the user can refer to it.
  • the fourth output unit 843 displays, for example, the result of verifying the validity of the second signature on the display 706. Thereby, the fourth output unit 843 can enable the user to understand the validity of the second signature and the authenticity of the target data suggested by the validity of the second signature.
  • the fourth output unit 843 outputs the target data so that the user can refer to it.
  • the fourth output unit 843 displays the target data on the display 706, for example. Thereby, the fourth output unit 843 can enable the user to understand the target data that is genuine.
  • the fourth output unit 843 can improve security.
  • FIGS. 9 to 11 operation example 1 of the signature control system 200 will be described using FIGS. 9 to 11. Specifically, in FIGS. 9 to 11, when the signer intends to provide the contract to the verifier, the signer acquires a signature to be added to the contract from the information processing device 100 while keeping the contract confidential. Let me explain when I would like to do so.
  • FIG. 9 An example of a blind signature method will be described using FIG. 9. Thereafter, a first operation example of the signature control system 200 in the case where the blind signature method described above is applied to the signature control system 200 will be explained using FIGS. 10 and 11.
  • FIG. 9 is an explanatory diagram showing an example of a blind signature method.
  • Original signature key 900 can be divided into a combination of protected signature key 901 and escrow signature key 902.
  • the escrow signature key 902 to be combined with the protected signature key 901 can be generated.
  • Blind processing 941 using the protected signature key 901 is defined for the contract 910.
  • anonymized data 911 and a protected signature 921 corresponding to the contract 910 are generated.
  • the anonymized data 911 is a hash value of the contract 910.
  • the contract 910 is input to a hash function, anonymized data 911 which is a hash value of the contract 910 is generated, and the anonymized data 911 and the protected signature key 901 are input to the signature function. and generate a protection signature 921.
  • a signature process 942 using the entrusted signature key 902 is defined for the protected signature 921.
  • a signature process 942 using the deposited signature key 902 is performed on the protected signature 921, a deposited signature 922 is generated.
  • the signature process 942 is, for example, generating a escrow signature 922 by inputting the protected signature 921 and the escrow signature key 902 into a signature function.
  • an original signature 931 is considered to be generated.
  • the escrow signature 922 has the property of matching the original signature 931. Therefore, the escrow signature 922 is generated verifiable with the original verification key 903 corresponding to the original signature key 900.
  • the escrow signature 922 may be generated so that it matches the original signature 931 and can be verified with the original verification key 903 after performing an unblind process 944 corresponding to the blind process.
  • the blind signature method described above can enable different computers to share the process of using the protected signature key 901 and the process of using the escrow signature key 902 in the process of generating the escrow signature 922. Therefore, in the blind signature method described above, if the signer securely holds the protected signature key 901 and controls the process of using the protected signature key 901, the escrow signature 922 can be prevented from being generated fraudulently. It is thought that it is possible to do so.
  • the blind signature method described above can generate the escrow signature 922 without using the original signature key 900, which is valid alone.
  • the signer only has to manage the protected signature key 901, which is not valid on its own.
  • the signer can avoid providing the original signature key, which is valid on its own, to an outside party. Therefore, the blind signature method described above can improve security and reduce the work burden on the signer.
  • blind signature method described above can facilitate secure management of the contract 910 through blind processing 941 using the protected signature key 901. Next, the explanation will move on to FIGS. 10 and 11.
  • FIGS. 10 and 11 are explanatory diagrams showing an example 1 of operation of the signature control system 200.
  • the signer device 202 has a browser plug-in and operates using the browser plug-in.
  • the verification side device 203 has a mailer plug-in and operates using the mailer plug-in.
  • the key management device 201 is used, for example, by a signer. Specifically, it is assumed that the key management device 201 determines and accepts the operation input of a valid signer through authentication processing.
  • the information processing device 100 provides Trust as a Service.
  • the key management device 201 generates an original key pair by the KeyGen process 1000 based on the signer's operation input.
  • the original key pair is a combination of an original signature key 1001 and an original verification key 1002.
  • the key management device 201 generates a protection key pair by the KeyGen process 1000 based on the signer's operation input.
  • the protection key pair is a combination of a protection signature key 1011 and a protection verification key 1012.
  • the key management device 201 generates an entrusted key pair using the KeyGen process 1000.
  • the escrow key pair is a combination of an escrow signature key 1021 and an escrow verification key 1022.
  • the key management device 201 may generate the escrow verification key 1022 corresponding to the escrow signature key 1021.
  • the key management device 201 does not need to generate the escrow verification key 1022 corresponding to the escrow signature key 1021.
  • the key management device 201 defines a hash function H: ⁇ 0,1 ⁇ * ⁇ Z N and provides it to the signing device 202 and the information processing device 100.
  • the key management device 201 sends the protection key pair to the signing device 202.
  • the key management device 201 transmits the original verification key 1002, the protected verification key 1012, and the escrow signature key 1021 to the information processing device 100.
  • the key management device 201 may discard the original signature key 1001 after generating the protection key pair and the entrusted key pair. Next, the description will move on to FIG. 11.
  • the signing device 202 obtains the contract 1100 based on the signer's operation input.
  • the signing device 202 sets the acquired contract 1100 in the message m.
  • Signing side device 202 performs Blind processing 1121 on message m.
  • the information processing device 100 receives the hash value 1101 (m') to which the protection signature 1111 ( ⁇ ) has been added from the signing device 202.
  • the information processing apparatus 100 uses the protection verification key 1012(d') to verify the validity of the protection signature 1111( ⁇ ) based on the hash value 1101(m'). If the protection signature 1111( ⁇ ) is not valid, the information processing apparatus 100 discards the hash value 1101(m') to which the protection signature 1111( ⁇ ) is attached.
  • the information processing apparatus 100 performs Sign processing 1122 on the protected signature 1111(d').
  • the information processing device 100 sends the entrusted signature 1112 to the signing device 202. Send.
  • the signing device 202 receives the deposited signature 1112 from the information processing device 100.
  • the signing device 202 performs an unblind process 1123 corresponding to the blind process 1121 on the deposited signature 1112 to obtain an original signature 1113.
  • the unblind process 1123 is performed based on the parameter r corresponding to the blind process 1121, for example.
  • the processing contents of the Unblind processing 1123 are defined according to the processing contents of the Blind processing 1121. Therefore, depending on the processing content of the blind processing 1121, the unblind processing 1123 may not perform any processing on the deposited signature 1112 and may set the deposited signature 1112 as the original signature 1113 as is.
  • the Unblind process 1123 does not perform any processing on the deposited signature 1112.
  • the signing device 202 may do without performing the Unblind process 1123.
  • the signing device 202 sends the message m with the original signature 1113 attached to the verification device 203 via email.
  • the verification side device 203 receives the message m to which the original signature 1113 has been added from the signature side device 202 via email.
  • the verification device 203 acquires the original verification key 1002 from the information processing device 100 in response to receiving the message m to which the original signature 1113 is attached.
  • the verification device 203 verifies the validity of the original signature 1113 using the original verification key 1002.
  • the verification device 203 outputs the result of verifying the validity of the original signature 1113 so that the verifier can refer to it. If the original signature 1113 is not valid, the verification side device 203 discards the message m to which the original signature 1113 is attached. If the original signature 1113 is valid, the verification side device 203 outputs the message m to which the original signature 1113 is attached so that the verifier can refer to it.
  • the signature control system 200 allows the signing device 202 to do without having the original signature key 1001 that is valid on its own, and only needs to have the protected signature key 1011 that is not valid on its own. be able to. Therefore, the signature control system 200 can prevent leakage of the original signature key 1001.
  • the signature control system 200 allows the information processing device 100 to do without the original signature key 1001 that is valid on its own, and can have the escrow signature key 1021 that is not valid on its own. Therefore, the signature control system 200 can improve security.
  • the signature control system 200 can easily conceal the message m. Therefore, the signature control system 200 can reduce the workload placed on the signer.
  • the signature control system 200 is able to store the original signature 1113 even if the entrusted signature key 1021 is leaked from the information processing device 100 to the attacker, as long as the protected signature key 1011 is not leaked to the attacker. can be prevented from being generated.
  • the signature control system 200 can prevent an attacker from adding the original signature 1113 to a message other than the signer's legitimate message m.
  • the signature control system 200 prevents the attacker from adding the original signature 1113 to a signer's legitimate message m even if the information processing device 100 is used by an attacker. can be prevented.
  • the signature control system 200 allows the verification device 203 to verify the authenticity of the message m even if the message m is intercepted and tampered with by an attacker, or even if it is intercepted by an attacker and replaced with an unauthorized message m. Can be properly verifiable. In this way, the signature control system 200 can improve security and realize the original signature 1113 with relatively high reliability.
  • Operation example 2 is a specific example in which the signature control system 200 uses a nonce to easily conceal statistical information regarding the same blind message.
  • the nonce is a random number.
  • the statistical information is, for example, the number of times the escrow signature 1112 is generated for the same blind message.
  • Operation example 2 is an operation example in which the processing contents of the Blind processing 1121 shown in FIGS. 10 and 11 are replaced with the processing contents shown below.
  • the Blind process 1121 obtains the nonce r 1 from a uniform distribution.
  • the signature control system 200 can make the specific value of the escrow signature 1112 different each time it generates the escrow signature 1112 for the hash value 1101 of the same blind message. Therefore, the signature control system 200 can easily conceal statistical information regarding the same blind message.
  • Operation example 3 is a specific example of achieving linkability.
  • Unlinkability means, for example, that even if the message m to which the signature is attached and the nonce r1 are made public in the future, it is difficult for the information processing device 100 to associate the message m and the blind message. indicate a property.
  • a case may be considered in which message m indicates a bid price and is published at a predetermined timing. In this case, if linkability is not achieved, it becomes possible for the information processing device 100 to associate the message m and the blind message based on the message m indicating the published bid price. There is.
  • Operation example 3 is an operation example in which the processing contents of Blind processing 1121 and Unblind processing 1123 shown in FIGS. 10 and 11 are replaced with the processing contents shown below.
  • the blind process 1121 obtains nonces r 1 and r 2 from a uniform distribution.
  • the signature control system 200 can improve security.
  • the signature control system 200 can protect the privacy of signers.
  • Operation example 4 is a specific example in which the signature control system 200 uses the BLS (Boneh Lynn Shacham) encryption method instead of the RSA encryption method.
  • Operation example 4 is an operation example in which the processing contents of KeyGen processing 1000, Blind processing 1121, Sign processing 1122, and Unblind processing 1123 shown in FIGS. 10 and 11 are replaced with the processing contents shown below. .
  • G 1 , G 2 , and G T are cyclic groups of prime order p.
  • g 1 , g 2 , and g T be the generators of G 1 , G 2 , and G T , respectively.
  • a pairing map e: G 1 ⁇ G 2 ⁇ G T is defined.
  • the KeyGen process 1000 defines a hash function H: ⁇ 0,1 ⁇ * ⁇ G 1 .
  • the blind process 1121 obtains nonces r 1 and r 2 from a uniform distribution.
  • X is pk.
  • the signature control system 200 can utilize the BLS encryption method, which can be applied to threshold signatures, aggregate signatures, etc., and can improve convenience.
  • FIG. 12 and 13 are sequence diagrams showing an example of the registration processing procedure.
  • a signer (Alice) inputs a key generation request into the key management device 201.
  • the key management device 201 receives an input of a key generation request (step S1201).
  • the key management device 201 generates an original key pair in response to the key generation request (step S1202).
  • the key management device 201 generates a protection key pair (step S1203).
  • the key management device 201 generates a escrow signature key (step S1204).
  • the key management device 201 transmits the protection key pair to the signing device 202 via a secure communication means (step S1205).
  • the signing device 202 receives the protection key pair using the browser plug-in.
  • the signing device 202 uses the browser plug-in to transmit the server authentication information to the information processing device 100 (step S1206).
  • the server authentication information is information for guaranteeing the validity of the signing device 202.
  • the information processing device 100 After confirming the validity of the signing device 202 based on the server authentication information, the information processing device 100 transmits authentication success to the signing device 202 (step S1207). If the information processing device 100 cannot confirm the validity of the signing device 202, the signature control system 200 ends the registration process.
  • the signing device 202 uses the browser plug-in to send a registration request that associates the plug-in ID and the protection verification key to the information processing device 100 (step S1208).
  • the information processing apparatus 100 associates the plug-in ID and the protection verification key and registers them in the key management table 310.
  • the information processing device 100 transmits registration completion to the signing device 202 (step S1209).
  • the explanation will move on to FIG. 13.
  • the signing device 202 transmits the plug-in ID to the key management device 201 using the browser plug-in (step S1301).
  • the key management device 201 receives the plug-in ID from the signing device 202.
  • the key management device 201 generates server registration information including the plug-in ID (step S1302).
  • the server registration information includes a deposited signature key and an original verification key in association with the plug-in ID.
  • the key management device 201 generates a signature using the protected signature key for the server registration information, and adds the signature to the server registration information (step S1303).
  • the key management device 201 transmits a registration request to the information processing device 100 (step S1304).
  • the information processing device 100 transmits a request to transmit server registration information to the key management device 201 (step S1305).
  • the key management device 201 transmits the signed server registration information to the information processing device 100 via a secure communication means (step S1306).
  • the information processing device 100 receives server registration information with a signature added thereto from the key management device 201 .
  • the information processing apparatus 100 verifies the signature added to the server registration information using the protection verification key (step S1307).
  • the information processing device 100 discards the server registration information. If the signature is valid, the information processing apparatus 100 registers the protection verification key and server registration information in the storage area in association with the plug-in ID (step S1308). Specifically, the information processing apparatus 100 registers the protection verification key, the entrusted signature key and the original verification key included in the server registration information in the key management table 310 in association with the plug-in ID. The information processing device 100 transmits registration completion to the key management device 201 (step S1309).
  • the key management device 201 Upon receiving the registration completion notification, the key management device 201 outputs the registration completion notification so that the signer (Alice) can refer to it (step S1310). The key management device 201 may discard the original signature key (step S1311). The signature control system 200 ends the registration process. Thereby, the signature control system 200 can appropriately generate a protected signature key, a protected verification key, a deposited signature key, and an original verification key, and distribute them to the signing device 202 and the information processing device 100. Can be done.
  • FIGS. 14 and 15 are sequence diagrams showing an example of a signature processing procedure.
  • a signer uses a PC or the like to create a document to be signed (step S1401).
  • the signer uses a PC or the like to transmit the document to be signed to the signing device 202 (step S1402).
  • the signing device 202 uses the protected signature key of the protected key pair to perform a blind process and generate a protected signature for the document (step S1403).
  • the signing device 202 transmits a signature processing start notification to the information processing device 100 (step S1404).
  • the signing device 202 receives a notification of approval for the start notification from the information processing device 100 (step S1405).
  • the signing device 202 transmits the verification information to the information processing device 100 using the browser plug-in (step S1406).
  • the verification information includes, for example, a document hash value, a protection signature, and a plug-in ID.
  • the plug-in ID is identification information that allows the signing device 202 to be identified.
  • the plug-in ID is identification information that allows the browser plug-in of the signing device 202 to be identified.
  • the information processing device 100 receives the verification information.
  • the information processing apparatus 100 acquires the entrusted signature key and the protection verification key associated with the plug-in ID included in the verification information from the key management table 310 (step S1407).
  • the information processing apparatus 100 verifies the validity of the verification information using the protection verification key (step S1408).
  • the information processing device 100 discards the verification information. If the verification information is not valid, the signature control system 200 ends the signature process. If the verification information is valid, the information processing apparatus 100 performs a Sign process using the deposited signature key, generates a deposited signature for the protected signature, and adds the deposited signature to the protected signature (step S1409). Next, the explanation will move on to FIG. 15.
  • the information processing device 100 transmits the protected signature to which the deposited signature has been added to the signing device 202 (step S1501).
  • the signing device 202 receives the protected signature to which the deposited signature has been added from the information processing device 100 using the browser plug-in.
  • the signing device 202 uses the browser plug-in to perform unblind processing on the protected signature and generates an original signature (step S1502).
  • the signing device 202 uses the browser plug-in to add an original signature to the document (step S1503).
  • the signing device 202 transmits the document to which the original signature has been added to the verification device 203 (step S1504).
  • the verifying device 203 receives the document with the original signature from the signing device 202 using the mailer plug-in.
  • the verifier (Bob) inputs an original signature verification request to the verification device 203 (step S1505).
  • the verification device 203 receives an input of an original signature verification request using a mailer plug-in.
  • the verification device 203 uses the mailer plug-in to transmit the plug-in ID to the information processing device 100, and requests the information processing device 100 for the original verification key (step S1506).
  • the information processing device 100 obtains the original verification key from the key management table 310 based on the plug-in ID.
  • the information processing device 100 responds to the verification device 203 with the original verification key in association with the plug-in ID (step S1507).
  • the verification device 203 receives the original verification key from the information processing device 100 using the mailer plug-in.
  • the verification device 203 uses the mailer plug-in to verify the validity of the original signature, and verifies the authenticity of the document to which the original signature has been added (step S1508).
  • the verification device 203 uses the mailer plug-in to output the verification results so that the verification person (Bob) can refer to them (step S1509).
  • the signature control system 200 can safely exchange documents between the signing device 202 and the verifying device 203 while ensuring security.
  • the second signature key is acquired from the management device that has the combination of the first signature key and the second signature key, which enables generation of the same signature as the original signature key. can be obtained.
  • the first signature using the first signature key on the anonymized data can be received from the first device 802 having the first signature key.
  • the information processing apparatus 100 it is possible to generate a second signature for the received first signature using the acquired second signature key.
  • the generated second signature can be transmitted to the first device 802. Thereby, the information processing apparatus 100 can generate a relatively highly reliable second signature, provide it to the first apparatus 802, and make it usable by the first apparatus 802.
  • the original verification key can further be acquired from the management device that has the original verification key corresponding to the original signature key. According to the information processing device 100, the acquired original verification key can be transmitted to the second device 803 that verifies the second signature. Thereby, the information processing device 100 can enable the second device 803 to verify the second signature, which has relatively high reliability.
  • the first verification key can further be obtained from the management device that has the first verification key corresponding to the first signature key.
  • the validity of the received first signature can be determined using the acquired first verification key.
  • the generated second signature can be transmitted to the first device 802. Thereby, the information processing apparatus 100 can improve security.
  • the hash value of the target data can be treated as anonymized data. Therefore, the information processing apparatus 100 can be applied even when the target data is anonymized.
  • the information processing device 100 it is possible to communicate with a management device that is the same device as the first device 802. Thereby, the information processing device 100 can be applied to a situation where the first device 802 and the management device are the same device.
  • the signature control method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a PC or a workstation.
  • the signature control program described in this embodiment is recorded on a computer-readable recording medium, and executed by being read from the recording medium by the computer.
  • the recording medium includes a hard disk, a flexible disk, a CD (Compact Disc)-ROM, an MO (Magneto Optical Disc), a DVD (Digital Versatile Disc), and the like.
  • the signature control program described in this embodiment may be distributed via a network such as the Internet.

Abstract

An information processing device (100) acquires, from a management device (101), an original verification key (112) and a second signature key (131). The information processing device (100) receives, from a first device (102), a first signature (142) using a first signature key (121) for confidential data (141). The information processing device (100) generates, for the received first signature (142), a second signature (143) using the acquired second signature key (131). The information processing device (100) uses a prescribed signature function, for example, to generate, for the received first signature (142), the second signature (143) using the acquired second signature key (131). The information processing device (100) transmits the generated second signature (143) to the first device (102). The information processing device (100) transmits the acquired original verification key (112) to a second device (103) that verifies the second signature (143).

Description

署名制御方法、署名制御プログラム、情報処理装置、およびシステムSignature control method, signature control program, information processing device, and system
 本発明は、署名制御方法、署名制御プログラム、情報処理装置、およびシステムに関する。 The present invention relates to a signature control method, a signature control program, an information processing device, and a system.
 従来、文書情報の改ざん防止のため、文書情報に対して、署名鍵による電子署名が付与されることがある。ここで、署名鍵の生成および失効などの管理にかかる署名者の作業負担を低減するため、署名者が、署名鍵の管理、および、データに対する電子署名の付与などを、外部のサーバに委託するようにするリモート署名方式がある。 Conventionally, in order to prevent document information from being tampered with, an electronic signature using a signature key is sometimes attached to document information. Here, in order to reduce the work burden on the signer in managing the generation and revocation of the signature key, the signer outsources the management of the signature key and the assignment of electronic signatures to the data to an external server. There is a remote signature method that does this.
 先行技術としては、例えば、サーバ装置が電子文書のハッシュ値に第1の分割鍵による第1の暗号化を施して暗号化データを生成し、別のサーバ装置が暗号化データに対して第2の分割鍵による第2の暗号化を施して署名データを生成するシステムがある。 As a prior art, for example, a server device performs a first encryption on a hash value of an electronic document using a first split key to generate encrypted data, and another server device performs a second encryption on the encrypted data. There is a system that generates signature data by performing second encryption using a split key.
特開2010-154098号公報Japanese Patent Application Publication No. 2010-154098
 しかしながら、従来技術では、電子署名の信頼性を担保することができない場合がある。例えば、外部のサーバから署名鍵が、攻撃者に漏洩することがある。例えば、外部のサーバに電子署名の付与を依頼するデータが、攻撃者により傍受されて改ざんされることがある。例えば、外部のサーバの管理者が、攻撃者であることがある。 However, with the conventional technology, it may not be possible to ensure the reliability of electronic signatures. For example, a signature key may be leaked to an attacker from an external server. For example, data that requests an external server to add a digital signature may be intercepted and tampered with by an attacker. For example, an administrator of an external server may be the attacker.
 1つの側面では、本発明は、署名の信頼性の向上を図ることを目的とする。 In one aspect, the present invention aims to improve the reliability of signatures.
 1つの実施態様によれば、元署名鍵と同一の署名を生成可能にする、第1署名鍵と第2署名鍵との組み合わせを有する管理装置から、前記第2署名鍵を取得し、秘匿化データに対する、前記第1署名鍵による第1署名を、前記第1署名鍵を有する第1装置から受信し、受信した前記第1署名に対する、取得した前記第2署名鍵による第2署名を生成し、生成した前記第2署名を、前記第1装置に送信する署名制御装置、署名制御方法、および署名制御プログラムが提案される。 According to one embodiment, the second signature key is obtained from a management device that has a combination of a first signature key and a second signature key that makes it possible to generate the same signature as the original signature key, and the second signature key is anonymized. Receive a first signature on data using the first signature key from a first device having the first signature key, and generate a second signature using the acquired second signature key for the received first signature. , a signature control device, a signature control method, and a signature control program for transmitting the generated second signature to the first device are proposed.
 一態様によれば、署名の信頼性の向上を図ることが可能になる。 According to one aspect, it is possible to improve the reliability of signatures.
図1は、実施の形態にかかる署名制御方法の一実施例を示す説明図である。FIG. 1 is an explanatory diagram showing an example of the signature control method according to the embodiment. 図2は、署名制御システム200の一例を示す説明図である。FIG. 2 is an explanatory diagram showing an example of the signature control system 200. 図3は、情報処理装置100のハードウェア構成例を示すブロック図である。FIG. 3 is a block diagram showing an example of the hardware configuration of the information processing device 100. 図4は、鍵管理テーブル310の記憶内容の一例を示す説明図である。FIG. 4 is an explanatory diagram showing an example of the stored contents of the key management table 310. 図5は、鍵管理装置201のハードウェア構成例を示すブロック図である。FIG. 5 is a block diagram showing an example of the hardware configuration of the key management device 201. 図6は、署名側装置202のハードウェア構成例を示すブロック図である。FIG. 6 is a block diagram showing an example of the hardware configuration of the signing device 202. As shown in FIG. 図7は、検証側装置203のハードウェア構成例を示すブロック図である。FIG. 7 is a block diagram showing an example of the hardware configuration of the verification side device 203. 図8は、署名制御システム200の機能的構成例を示すブロック図である。FIG. 8 is a block diagram showing an example of the functional configuration of the signature control system 200. 図9は、ブラインド署名方式の一例を示す説明図である。FIG. 9 is an explanatory diagram showing an example of a blind signature method. 図10は、署名制御システム200の動作例1を示す説明図(その1)である。FIG. 10 is an explanatory diagram (part 1) showing operation example 1 of the signature control system 200. 図11は、署名制御システム200の動作例1を示す説明図(その2)である。FIG. 11 is an explanatory diagram (part 2) showing operation example 1 of the signature control system 200. 図12は、登録処理手順の一例を示すシーケンス図(その1)である。FIG. 12 is a sequence diagram (part 1) showing an example of the registration processing procedure. 図13は、登録処理手順の一例を示すシーケンス図(その2)である。FIG. 13 is a sequence diagram (part 2) showing an example of the registration processing procedure. 図14は、署名処理手順の一例を示すシーケンス図(その1)である。FIG. 14 is a sequence diagram (part 1) showing an example of the signature processing procedure. 図15は、署名処理手順の一例を示すシーケンス図(その2)である。FIG. 15 is a sequence diagram (part 2) showing an example of the signature processing procedure.
 以下に、図面を参照して、本発明にかかる署名制御方法、署名制御プログラム、情報処理装置、およびシステムの実施の形態を詳細に説明する。 Embodiments of a signature control method, a signature control program, an information processing device, and a system according to the present invention will be described in detail below with reference to the drawings.
(実施の形態にかかる署名制御方法の一実施例)
 図1は、実施の形態にかかる署名制御方法の一実施例を示す説明図である。情報処理装置100は、署名の信頼性の向上を図るためのコンピュータである。署名は、電子署名である。署名は、例えば、RSA(Rivest Shamir Adleman)暗号方式により規定される。 (An example of the signature control method according to the embodiment)
FIG. 1 is an explanatory diagram showing an example of the signature control method according to the embodiment. The information processing device 100 is a computer for improving the reliability of signatures. The signature is an electronic signature. The signature is defined by, for example, RSA (Rivest Shamir Adleman) cryptography.
 従来、文書情報の改ざん防止のため、文書情報に対して、署名鍵による電子署名が付与されることがある。ここで、署名鍵の生成および失効などの管理にかかる署名者の作業負担を低減するため、署名者が、署名鍵の管理、および、データに対する電子署名の付与などを、外部のサーバに委託するようにするリモート署名方式がある。リモート署名方式は、例えば、下記参考文献1に定義される。 Conventionally, in order to prevent document information from being tampered with, an electronic signature using a signature key is sometimes attached to document information. Here, in order to reduce the work burden on the signer in managing the generation and revocation of the signature key, the signer outsources the management of the signature key and the assignment of electronic signatures to the data to an external server. There is a remote signature method that does this. The remote signature method is defined, for example, in Reference 1 below.
 参考文献1 : “資料4 リモート署名概要と昨年度の検討結果”、[online]、平成28年9月29日、電子署名法研究会(平成28年度第1回)、[令和4年3月22日検索]、インターネット< URL :https://www.meti.go.jp/committee/kenkyukai/shoujo/denshishomeihou/pdf/h28_001_04_00.pdf> Reference 1: “Document 4 Overview of remote signatures and last year's study results”, [online], September 29, 2016, Electronic Signature Law Study Group (1st meeting in 2016), [March 2021] 22nd search], Internet <URL: https://www. meti. go. jp/committee/kenkyukai/shoujo/denshishomeihou/pdf/h28_001_04_00. pdf>
 例えば、署名者が、データそのものを外部のサーバにアップロードする手法が考えられる。例えば、外部のサーバは、データそのものを受け付け、受け付けたデータに対して署名鍵を利用して電子署名を生成し、データに対して生成した電子署名を付与し、電子署名を付与したデータを署名者に提供することになる。この手法では、データの安全性を確保することができない場合がある。例えば、データが外部のサーバに漏洩してしまうという問題がある。例えば、データが外部のサーバから攻撃者に漏洩してしまうことがある。 For example, one possible method is for the signer to upload the data itself to an external server. For example, an external server accepts the data itself, generates an electronic signature on the accepted data using a signature key, attaches the generated electronic signature to the data, and signs the data with the electronic signature attached. It will be provided to the person. This method may not ensure data security. For example, there is a problem that data may be leaked to an external server. For example, data may be leaked to an attacker from an external server.
 これに対し、署名者が、データそのものではなくデータのハッシュ値を外部のサーバにアップロードする手法が考えられる。例えば、外部のサーバは、データのハッシュ値を受け付け、受け付けたハッシュ値に対して署名鍵を利用して電子署名を生成し、ハッシュ値に対して生成した電子署名を付与し、電子署名を付与したハッシュ値を署名者に提供することになる。この手法では、電子署名の信頼性を担保することができない場合がある。 On the other hand, a possible method is for the signer to upload the hash value of the data to an external server instead of the data itself. For example, an external server accepts a hash value of data, generates an electronic signature for the accepted hash value using a signature key, attaches the generated electronic signature to the hash value, and attaches an electronic signature. The hash value will be provided to the signer. With this method, it may not be possible to ensure the reliability of the electronic signature.
 例えば、外部のサーバから署名鍵が、攻撃者に漏洩することがある。例えば、外部のサーバに電子署名の付与を依頼するデータのハッシュ値が、攻撃者により傍受されて改ざんされ、または、攻撃者により傍受されて不正なデータのハッシュ値と入れ替えられることがある。例えば、外部のサーバの管理者が、攻撃者であることがある。結果として、署名者は、電子署名が付与された不正なデータのハッシュ値を受け取ってしまうことがある。 For example, a signature key may be leaked to an attacker from an external server. For example, the hash value of data for which an external server is requested to add a digital signature may be intercepted and tampered with by an attacker, or may be intercepted by an attacker and replaced with a hash value of fraudulent data. For example, an administrator of an external server may be the attacker. As a result, the signer may receive a hash value of fraudulent data that has been given an electronic signature.
 そこで、本実施の形態では、署名の信頼性の向上を図ることができる署名制御方法について説明する。 Therefore, in this embodiment, a signature control method that can improve the reliability of signatures will be described.
 図1において、情報処理装置100は、管理装置101、第1装置102、および、第2装置103と通信可能である。管理装置101は、元署名鍵111に対応する元検証鍵112と、元署名鍵111を形成する第1署名鍵121と第2署名鍵131との組み合わせとを有する。元署名鍵111による署名と、第1署名鍵121と第2署名鍵131との組み合わせによる署名とは、同一の署名になるとする。元検証鍵112は、元署名鍵111による署名を検証可能にする鍵であり、第1署名鍵121と第2署名鍵131との組み合わせによる署名を検証可能にする鍵である。 In FIG. 1, an information processing device 100 can communicate with a management device 101, a first device 102, and a second device 103. The management device 101 has an original verification key 112 corresponding to the original signature key 111 and a combination of a first signature key 121 and a second signature key 131 forming the original signature key 111. It is assumed that the signature by the original signature key 111 and the signature by the combination of the first signature key 121 and the second signature key 131 are the same signature. The original verification key 112 is a key that allows the signature created by the original signature key 111 to be verified, and is a key that allows the signature created by the combination of the first signature key 121 and the second signature key 131 to be verified.
 第1署名鍵121に対応する第1検証鍵122が存在すると考えられる。第1検証鍵122は、第1署名鍵121による署名を検証可能にする鍵である。管理装置101は、第1検証鍵122を有していなくてもよい。第2署名鍵131に対応する第2検証鍵132が存在すると考えられる。第2検証鍵132は、第2署名鍵131による署名を検証可能にする鍵である。管理装置101は、第2検証鍵132を有していなくてもよい。 It is considered that a first verification key 122 corresponding to the first signature key 121 exists. The first verification key 122 is a key that allows the signature by the first signature key 121 to be verified. The management device 101 does not need to have the first verification key 122. It is considered that a second verification key 132 corresponding to the second signature key 131 exists. The second verification key 132 is a key that allows the signature by the second signature key 131 to be verified. The management device 101 does not need to have the second verification key 132.
 第1装置102は、例えば、管理装置101と通信可能である。第1装置102は、例えば、管理装置101から、第1署名鍵121を取得する。第1装置102は、例えば、秘匿化データ141に対する、第1署名鍵121による第1署名142を生成する。第1装置102は、具体的には、対象データに対して秘匿化処理を実施し、対象データに対応する秘匿化データ141を生成し、所定の署名関数を利用して、生成した秘匿化データ141に対する、第1署名鍵121による第1署名142を生成する。秘匿化処理は、例えば、ハッシュ関数である。第1装置102は、例えば、生成した第1署名142を、情報処理装置100に送信する。第1装置102は、具体的には、第1署名142が付与された秘匿化データ141を、情報処理装置100に送信してもよい。 The first device 102 is capable of communicating with the management device 101, for example. The first device 102 obtains the first signature key 121 from the management device 101, for example. The first device 102 generates a first signature 142 using the first signature key 121 for the anonymized data 141, for example. Specifically, the first device 102 performs a masking process on the target data, generates masked data 141 corresponding to the target data, and uses a predetermined signature function to generate the generated masked data. 141, a first signature 142 is generated using the first signature key 121. The anonymization process is, for example, a hash function. For example, the first device 102 transmits the generated first signature 142 to the information processing device 100. Specifically, the first device 102 may transmit the anonymized data 141 to which the first signature 142 is attached to the information processing device 100.
 (1-1)情報処理装置100は、管理装置101から、元検証鍵112と、第2署名鍵131とを取得する。 (1-1) The information processing device 100 obtains the original verification key 112 and the second signature key 131 from the management device 101.
 (1-2)情報処理装置100は、秘匿化データ141に対する、第1署名鍵121による第1署名142を、第1署名鍵121を有する第1装置102から受信する。情報処理装置100は、例えば、第1署名142が付与された秘匿化データ141を、第1装置102から受信してもよい。 (1-2) The information processing device 100 receives the first signature 142 based on the first signature key 121 on the anonymized data 141 from the first device 102 having the first signature key 121. For example, the information processing device 100 may receive the anonymized data 141 to which the first signature 142 is attached from the first device 102 .
 これにより、情報処理装置100は、第1署名鍵121を参照せずに、第1署名鍵121と第2署名鍵131との組み合わせによる署名を生成するために有用な情報を得ることができる。情報処理装置100は、第1装置102が、第1署名鍵121を公開せずに済ませることができ、第1署名鍵121を秘匿化可能にすることができる。 Thereby, the information processing device 100 can obtain information useful for generating a signature based on the combination of the first signature key 121 and the second signature key 131 without referring to the first signature key 121. In the information processing apparatus 100, the first apparatus 102 can avoid disclosing the first signature key 121 and can conceal the first signature key 121.
 (1-3)情報処理装置100は、受信した第1署名142に対する、取得した第2署名鍵131による第2署名143を生成する。情報処理装置100は、例えば、所定の署名関数を利用して、受信した第1署名142に対する、取得した第2署名鍵131による第2署名143を生成する。これにより、情報処理装置100は、第1署名鍵121を参照せずとも、元検証鍵112で検証可能な、第1署名鍵121と第2署名鍵131との組み合わせによる署名を得ることができる。 (1-3) The information processing device 100 generates a second signature 143 based on the acquired second signature key 131 for the received first signature 142. The information processing apparatus 100 generates a second signature 143 based on the acquired second signature key 131 for the received first signature 142, for example, using a predetermined signature function. Thereby, the information processing device 100 can obtain a signature based on the combination of the first signature key 121 and the second signature key 131 that can be verified using the original verification key 112 without referring to the first signature key 121. .
 (1-4)情報処理装置100は、生成した第2署名143を、第1装置102に送信する。これにより、情報処理装置100は、生成した第2署名143を、第1装置102で利用可能にすることができる。情報処理装置100は、例えば、生成した第2署名143を、秘匿化データ141または対象データに対応付けて利用可能にすることができる。第1装置102は、例えば、第2署名143が付与された対象データを、第2装置103に送信することが考えられる。 (1-4) The information processing device 100 transmits the generated second signature 143 to the first device 102. Thereby, the information processing device 100 can make the generated second signature 143 usable by the first device 102. For example, the information processing device 100 can make the generated second signature 143 available by associating it with the anonymized data 141 or the target data. For example, the first device 102 may transmit target data to which the second signature 143 is attached to the second device 103.
 (1-5)情報処理装置100は、取得した元検証鍵112を、第2署名143を検証する第2装置103に送信する。これにより、情報処理装置100は、第2装置103が、第2署名143を検証可能にすることができる。このように、情報処理装置100は、対象データそのものを参照せず、第1署名鍵121を参照せずとも、元検証鍵112で検証可能な、第1署名鍵121と第2署名鍵131との組み合わせによる第2署名143を生成することができる。そして、情報処理装置100は、第1装置102が、第2署名143を利用可能にすることができる。情報処理装置100は、第2装置103が、第2署名143を検証可能にすることができる。 (1-5) The information processing device 100 transmits the acquired original verification key 112 to the second device 103 that verifies the second signature 143. Thereby, the information processing device 100 can enable the second device 103 to verify the second signature 143. In this way, the information processing device 100 can generate the first signature key 121 and the second signature key 131 that can be verified using the original verification key 112 without referring to the target data itself and without referring to the first signature key 121. A second signature 143 can be generated by a combination of the following. Then, the information processing device 100 can enable the first device 102 to use the second signature 143. The information processing device 100 can enable the second device 103 to verify the second signature 143.
 従って、情報処理装置100は、第1署名鍵121を秘匿化可能にすることができ、第2署名143の信頼性の向上を図ることができる。情報処理装置100は、第1署名鍵121が、攻撃者に漏洩することを防止することができる。情報処理装置100は、攻撃者が、第1署名142を傍受し、第1署名142を改ざんすること、または、第1署名142を不正署名に入れ替えることを困難にすることができる。情報処理装置100は、仮に自装置の利用者が攻撃者であっても、不正に第1署名142を生成することを困難にすることができる。 Therefore, the information processing device 100 can make the first signature key 121 confidential, and can improve the reliability of the second signature 143. The information processing device 100 can prevent the first signature key 121 from being leaked to an attacker. The information processing device 100 can make it difficult for an attacker to intercept the first signature 142 and falsify the first signature 142 or replace the first signature 142 with a fraudulent signature. The information processing device 100 can make it difficult to illegally generate the first signature 142 even if the user of the device is an attacker.
 ここでは、第1装置102が、管理装置101とは異なる装置であり、管理装置101と通信可能である場合について説明したが、これに限らない。例えば、第1装置102が、管理装置101と同一の装置である場合があってもよい。この場合、第1装置102が、元署名鍵111に対応する元検証鍵112と、元署名鍵111を形成する第1署名鍵121と第2署名鍵131との組み合わせとを有する。 Here, a case has been described in which the first device 102 is a device different from the management device 101 and can communicate with the management device 101, but the present invention is not limited to this. For example, the first device 102 may be the same device as the management device 101. In this case, the first device 102 has an original verification key 112 corresponding to the original signature key 111 and a combination of the first signature key 121 and the second signature key 131 forming the original signature key 111.
 ここでは、情報処理装置100が、管理装置101から、少なくとも、元検証鍵112と、第2署名鍵131とを取得する場合について説明したが、これに限らない。例えば、情報処理装置100が、さらに、管理装置101から、第1検証鍵122を取得する場合があってもよい。これにより、情報処理装置100は、第1署名142を検証可能になり、セキュリティの向上を図ることができる。 Here, a case has been described in which the information processing device 100 acquires at least the original verification key 112 and the second signature key 131 from the management device 101, but the present invention is not limited to this. For example, the information processing device 100 may further acquire the first verification key 122 from the management device 101. Thereby, the information processing device 100 can verify the first signature 142, and can improve security.
 ここでは、情報処理装置100が、元検証鍵112を、第2装置103に送信する場合について説明したが、これに限らない。例えば、管理装置101が、元検証鍵112を、第2装置103に送信する場合があってもよい。例えば、第1装置102が、元検証鍵112を、管理装置101から受信して第2装置103に送信する場合があってもよい。 Here, a case has been described in which the information processing device 100 transmits the original verification key 112 to the second device 103, but the present invention is not limited to this. For example, the management device 101 may transmit the original verification key 112 to the second device 103. For example, the first device 102 may receive the original verification key 112 from the management device 101 and transmit it to the second device 103.
 ここでは、情報処理装置100が、単独で動作する場合について説明したが、これに限らない。例えば、複数のコンピュータが協働して情報処理装置100としての機能を実現する場合があってもよい。例えば、クラウド上に、情報処理装置100としての機能が実現される場合があってもよい。 Although the case where the information processing device 100 operates independently has been described here, the present invention is not limited to this. For example, a plurality of computers may cooperate to realize the functions of the information processing device 100. For example, the functions of the information processing device 100 may be implemented on the cloud.
(署名制御システム200の一例)
 次に、図2を用いて、図1に示した情報処理装置100を適用した、署名制御システム200の一例について説明する。 (Example of signature control system 200)
Next, an example of a signature control system 200 to which the information processing apparatus 100 shown in FIG. 1 is applied will be described using FIG. 2.
 図2は、署名制御システム200の一例を示す説明図である。図2において、署名制御システム200は、情報処理装置100と、1以上の鍵管理装置201と、1以上の署名側装置202と、1以上の検証側装置203とを含む。 FIG. 2 is an explanatory diagram showing an example of the signature control system 200. In FIG. 2, the signature control system 200 includes an information processing device 100, one or more key management devices 201, one or more signing devices 202, and one or more verification devices 203.
 署名制御システム200において、情報処理装置100と鍵管理装置201とは、有線または無線のネットワーク210を介して接続される。ネットワーク210は、例えば、LAN(Local Area Network)、WAN(Wide Area Network)、インターネットなどである。 In the signature control system 200, the information processing device 100 and the key management device 201 are connected via a wired or wireless network 210. The network 210 is, for example, a LAN (Local Area Network), a WAN (Wide Area Network), the Internet, or the like.
 署名制御システム200において、情報処理装置100と署名側装置202とは、有線または無線のネットワーク210を介して接続される。署名制御システム200において、情報処理装置100と検証側装置203とは、有線または無線のネットワーク210を介して接続される。署名制御システム200において、鍵管理装置201と署名側装置202とは、有線または無線のネットワーク210を介して接続される。署名制御システム200において、署名側装置202と検証側装置203とは、有線または無線のネットワーク210を介して接続される。 In the signature control system 200, the information processing device 100 and the signature side device 202 are connected via a wired or wireless network 210. In the signature control system 200, the information processing device 100 and the verification device 203 are connected via a wired or wireless network 210. In the signature control system 200, a key management device 201 and a signing device 202 are connected via a wired or wireless network 210. In the signature control system 200, a signing device 202 and a verifying device 203 are connected via a wired or wireless network 210.
 鍵管理装置201は、署名鍵を管理するコンピュータである。鍵管理装置201は、例えば、署名者によって用いられる。 The key management device 201 is a computer that manages signature keys. The key management device 201 is used, for example, by a signer.
 鍵管理装置201は、オリジナル鍵ペアを生成する。オリジナル鍵ペアは、オリジナル署名鍵とオリジナル検証鍵との組み合わせである。オリジナル署名鍵は、図1に示した元署名鍵111に対応する。オリジナル検証鍵は、図1に示した元検証鍵112に対応する。 The key management device 201 generates an original key pair. An original key pair is a combination of an original signing key and an original verification key. The original signature key corresponds to the original signature key 111 shown in FIG. The original verification key corresponds to the original verification key 112 shown in FIG.
 鍵管理装置201は、保護鍵ペアを生成する。保護鍵ペアは、保護署名鍵と保護検証鍵との組み合わせである。保護署名鍵は、図1に示した第1署名鍵121に対応する。保護検証鍵は、図1に示した第1検証鍵122に対応する。鍵管理装置201は、預託署名鍵を生成する。預託署名鍵は、図1に示した第2署名鍵131に対応する。鍵管理装置201は、保護署名鍵と預託署名鍵とを組み合わせることによりオリジナル署名鍵を形成可能なよう、預託署名鍵を生成する。 The key management device 201 generates a protection key pair. A protection key pair is a combination of a protection signature key and a protection verification key. The protected signature key corresponds to the first signature key 121 shown in FIG. The protection verification key corresponds to the first verification key 122 shown in FIG. The key management device 201 generates a escrow signature key. The escrow signature key corresponds to the second signature key 131 shown in FIG. The key management device 201 generates an escrow signature key so that an original signature key can be formed by combining the protected signature key and the escrow signature key.
 鍵管理装置201は、少なくとも、保護署名鍵を、署名側装置202に提供する。 The key management device 201 provides at least the protected signature key to the signing device 202.
 鍵管理装置201は、少なくとも、預託署名鍵を、情報処理装置100に提供する。鍵管理装置201は、さらに、保護検証鍵を、情報処理装置100に提供してもよい。鍵管理装置201は、例えば、保護検証鍵を、署名側装置202を介して、情報処理装置100に提供してもよい。鍵管理装置201は、さらに、オリジナル検証鍵を、情報処理装置100に提供してもよい。鍵管理装置201は、例えば、サーバ、または、PC(Personal Computer)などである。 The key management device 201 provides at least the entrusted signature key to the information processing device 100. The key management device 201 may further provide the information processing device 100 with a protection verification key. For example, the key management device 201 may provide the protection verification key to the information processing device 100 via the signing device 202. The key management device 201 may further provide the original verification key to the information processing device 100. The key management device 201 is, for example, a server or a PC (Personal Computer).
 署名側装置202は、保護署名鍵による保護署名を生成するコンピュータである。保護署名は、図1に示した第1署名に対応する。署名側装置202は、例えば、署名者によって用いられる。 The signing device 202 is a computer that generates a protected signature using a protected signature key. The protection signature corresponds to the first signature shown in FIG. Signing side device 202 is used, for example, by a signer.
 署名側装置202は、保護署名鍵を、鍵管理装置201から受信する。署名側装置202は、対象データに対して秘匿化処理を実施して得られた秘匿化データを有する。署名側装置202は、例えば、対象データに対して秘匿化処理を実施し、秘匿化データを生成する。署名側装置202は、例えば、対象データに対して秘匿化処理を実施して得られた秘匿化データを、他のコンピュータから受信してもよい。署名側装置202は、秘匿化データに対する保護署名鍵による保護署名を生成する。 The signing device 202 receives the protected signature key from the key management device 201. The signature side device 202 has anonymized data obtained by performing an anonymization process on the target data. For example, the signature side device 202 performs an anonymization process on the target data to generate anonymization data. For example, the signature side device 202 may receive anonymized data obtained by performing an anonymization process on the target data from another computer. Signing side device 202 generates a protection signature for anonymized data using a protection signature key.
 署名側装置202は、生成した保護署名を、情報処理装置100に送信する。署名側装置202は、例えば、生成した保護署名を付与した秘匿化データを、情報処理装置100に送信してもよい。署名側装置202は、保護署名に対する預託署名鍵による預託署名を、情報処理装置100から受信する。署名側装置202は、保護署名に対する預託署名鍵による預託署名を、検証側装置203に送信する。署名側装置202は、例えば、預託署名を付与した対象データを、検証側装置203に送信する。署名側装置202は、例えば、PC、タブレット端末、または、スマートフォンなどである。 The signing device 202 transmits the generated protected signature to the information processing device 100. For example, the signing device 202 may transmit the anonymized data to which the generated protection signature has been added to the information processing device 100. The signing device 202 receives the entrusted signature based on the entrusted signature key for the protected signature from the information processing device 100 . Signing side device 202 transmits the escrow signature based on the escrow signature key for the protected signature to verification side device 203 . For example, the signing device 202 transmits the target data to which the deposited signature has been attached to the verification device 203. The signature side device 202 is, for example, a PC, a tablet terminal, or a smartphone.
 情報処理装置100は、預託署名鍵による預託署名を生成するコンピュータである。預託署名は、図1に示した第2署名に対応する。情報処理装置100は、例えば、署名制御システム200のシステム管理者によって用いられる。 The information processing device 100 is a computer that generates a deposited signature using a deposited signature key. The escrow signature corresponds to the second signature shown in FIG. The information processing device 100 is used, for example, by a system administrator of the signature control system 200.
 情報処理装置100は、預託署名鍵を、鍵管理装置201から受信する。情報処理装置100は、保護検証鍵を、鍵管理装置201から受信してもよい。情報処理装置100は、オリジナル検証鍵を、鍵管理装置201から受信してもよい。情報処理装置100は、保護署名を、署名側装置202から受信する。情報処理装置100は、例えば、保護署名が付与された秘匿化データを、署名側装置202から受信してもよい。 The information processing device 100 receives the entrusted signature key from the key management device 201. The information processing device 100 may receive the protection verification key from the key management device 201. The information processing device 100 may receive the original verification key from the key management device 201. The information processing device 100 receives the protection signature from the signing device 202. For example, the information processing device 100 may receive anonymized data to which a protection signature is attached from the signing device 202.
 情報処理装置100は、保護検証鍵を受信していれば、保護検証鍵に基づいて、保護署名が正当であるか否かを検証してもよい。情報処理装置100は、保護署名が正当でなければ、保護署名を破棄する。情報処理装置100は、保護署名に対する預託署名鍵による預託署名を生成する。情報処理装置100は、生成した預託署名を、署名側装置202に送信する。情報処理装置100は、オリジナル検証鍵を、検証側装置203に送信する。情報処理装置100は、例えば、サーバ、または、PCなどである。 If the information processing device 100 has received the protection verification key, it may verify whether the protection signature is valid based on the protection verification key. If the protected signature is not valid, the information processing device 100 discards the protected signature. The information processing apparatus 100 generates a escrow signature using the escrow signature key for the protected signature. The information processing device 100 transmits the generated entrusted signature to the signing device 202. The information processing device 100 transmits the original verification key to the verification side device 203. The information processing device 100 is, for example, a server or a PC.
 検証側装置203は、預託署名を、署名側装置202から受信する。検証側装置203は、例えば、検証者によって用いられる。 The verifying device 203 receives the escrow signature from the signing device 202. The verification side device 203 is used, for example, by a verifier.
 検証側装置203は、例えば、預託署名が付与された対象データを、署名側装置202から受信する。検証側装置203は、オリジナル検証鍵を取得する。検証側装置203は、例えば、オリジナル検証鍵を、情報処理装置100から受信する。検証側装置203は、オリジナル検証鍵に基づいて、預託署名が正当であるか否かを検証する。検証側装置203は、預託署名が正当でなければ、対象データを破棄する。検証側装置203は、例えば、PC、タブレット端末、または、スマートフォンなどである。 For example, the verification side device 203 receives target data to which a deposited signature has been attached from the signature side device 202. Verification side device 203 obtains the original verification key. The verification device 203 receives, for example, the original verification key from the information processing device 100. The verification device 203 verifies whether the deposited signature is valid based on the original verification key. The verification side device 203 discards the target data if the deposited signature is not valid. The verification device 203 is, for example, a PC, a tablet terminal, or a smartphone.
 ここでは、鍵管理装置201が、オリジナル検証鍵を、情報処理装置100に提供することにより、オリジナル検証鍵を、検証側装置203が取得可能にする場合について説明したが、これに限らない。例えば、鍵管理装置201が、オリジナル検証鍵を、署名側装置202を介して、検証側装置203に提供する場合があってもよい。例えば、鍵管理装置201が、オリジナル検証鍵を、検証側装置203に直接提供する場合があってもよい。 Here, a case has been described in which the key management device 201 provides the original verification key to the information processing device 100 so that the verification side device 203 can obtain the original verification key, but the present invention is not limited to this. For example, the key management device 201 may provide the original verification key to the verification device 203 via the signing device 202. For example, the key management device 201 may directly provide the original verification key to the verification device 203.
 ここでは、鍵管理装置201が、署名側装置202とは異なる装置である場合について説明したが、これに限らない。例えば、署名側装置202が、鍵管理装置201としての機能を有し、鍵管理装置201としても動作可能である場合があってもよい。ここでは、署名側装置202が、検証側装置203とは異なる装置である場合について説明したが、これに限らない。例えば、署名側装置202が、検証側装置203としての機能を有し、検証側装置203としても動作可能である場合があってもよい。 Here, a case has been described in which the key management device 201 is a device different from the signing device 202, but the present invention is not limited to this. For example, the signing device 202 may have a function as the key management device 201 and can also operate as the key management device 201. Here, a case has been described in which the signing device 202 is a device different from the verifying device 203, but the present invention is not limited to this. For example, there may be a case where the signing device 202 has the function of the verifying device 203 and can also operate as the verifying device 203.
(情報処理装置100のハードウェア構成例)
 次に、図3を用いて、情報処理装置100のハードウェア構成例について説明する。 (Example of hardware configuration of information processing device 100)
Next, an example of the hardware configuration of the information processing device 100 will be described using FIG. 3.
 図3は、情報処理装置100のハードウェア構成例を示すブロック図である。図3において、情報処理装置100は、CPU(Central Processing Unit)301と、メモリ302と、ネットワークI/F(Interface)303と、記録媒体I/F304と、記録媒体305とを有する。また、各構成部は、バス300によってそれぞれ接続される。 FIG. 3 is a block diagram showing an example of the hardware configuration of the information processing device 100. In FIG. 3, the information processing apparatus 100 includes a CPU (Central Processing Unit) 301, a memory 302, a network I/F (Interface) 303, a recording medium I/F 304, and a recording medium 305. Further, each component is connected to each other by a bus 300.
 ここで、CPU301は、情報処理装置100の全体の制御を司る。メモリ302は、例えば、ROM(Read Only Memory)、RAM(Random Access Memory)およびフラッシュROMなどを有する。具体的には、例えば、フラッシュROMやROMが各種プログラムを記憶し、RAMがCPU301のワークエリアとして使用される。メモリ302に記憶されるプログラムは、CPU301にロードされることにより、コーディングされている処理をCPU301に実行させる。 Here, the CPU 301 controls the entire information processing device 100. The memory 302 includes, for example, a ROM (Read Only Memory), a RAM (Random Access Memory), a flash ROM, and the like. Specifically, for example, a flash ROM or ROM stores various programs, and a RAM is used as a work area for the CPU 301. The program stored in the memory 302 is loaded into the CPU 301 and causes the CPU 301 to execute the coded processing.
 メモリ302は、例えば、署名側装置202ごとに、保護検証鍵と、預託署名鍵と、オリジナル検証鍵とを対応付けて記憶する。上記保護検証鍵は、例えば、署名側装置202に提供された保護署名鍵に対応する保護検証鍵である。上記預託署名鍵は、例えば、署名側装置202に提供された保護署名鍵と組み合わせられる預託署名鍵である。上記オリジナル署名鍵は、例えば、保護署名鍵と預託署名鍵との組み合わせと同一の署名を生成可能にするオリジナル署名鍵に対応するオリジナル検証鍵である。メモリ302は、具体的には、図4に後述する鍵管理テーブル310を記憶する。 The memory 302 stores, for example, a protection verification key, an escrow signature key, and an original verification key in association with each other for each signing device 202. The protection verification key is, for example, a protection verification key corresponding to the protection signature key provided to the signing device 202. The escrow signature key is, for example, an escrow signature key that is combined with a protected signature key provided to the signing device 202. The original signature key is, for example, an original verification key that corresponds to an original signature key that makes it possible to generate a signature identical to the combination of the protected signature key and the escrow signature key. Specifically, the memory 302 stores a key management table 310, which will be described later in FIG.
 ネットワークI/F303は、通信回線を通じてネットワーク210に接続され、ネットワーク210を介して他のコンピュータに接続される。そして、ネットワークI/F303は、ネットワーク210と内部のインターフェースを司り、他のコンピュータからのデータの入出力を制御する。ネットワークI/F303は、例えば、モデムやLANアダプタなどである。 The network I/F 303 is connected to a network 210 through a communication line, and is connected to other computers via the network 210. The network I/F 303 serves as an internal interface with the network 210, and controls data input/output from other computers. The network I/F 303 is, for example, a modem or a LAN adapter.
 記録媒体I/F304は、CPU301の制御に従って記録媒体305に対するデータのリード/ライトを制御する。記録媒体I/F304は、例えば、ディスクドライブ、SSD(Solid State Drive)、USB(Universal Serial Bus)ポートなどである。記録媒体305は、記録媒体I/F304の制御で書き込まれたデータを記憶する不揮発メモリである。記録媒体305は、例えば、ディスク、半導体メモリ、USBメモリなどである。記録媒体305は、情報処理装置100から着脱可能であってもよい。 The recording medium I/F 304 controls reading/writing of data to/from the recording medium 305 under the control of the CPU 301. The recording medium I/F 304 is, for example, a disk drive, an SSD (Solid State Drive), a USB (Universal Serial Bus) port, or the like. The recording medium 305 is a nonvolatile memory that stores data written under the control of the recording medium I/F 304. The recording medium 305 is, for example, a disk, a semiconductor memory, a USB memory, or the like. The recording medium 305 may be removable from the information processing apparatus 100.
 情報処理装置100は、上述した構成部の他、例えば、キーボード、マウス、ディスプレイ、プリンタ、スキャナ、マイク、スピーカーなどを有してもよい。また、情報処理装置100は、記録媒体I/F304や記録媒体305を複数有していてもよい。また、情報処理装置100は、記録媒体I/F304や記録媒体305を有していなくてもよい。 In addition to the components described above, the information processing device 100 may include, for example, a keyboard, a mouse, a display, a printer, a scanner, a microphone, a speaker, and the like. Further, the information processing apparatus 100 may include a plurality of recording medium I/Fs 304 and recording media 305. Further, the information processing apparatus 100 does not need to have the recording medium I/F 304 or the recording medium 305.
(鍵管理テーブル310の記憶内容)
 次に、図4を用いて、鍵管理テーブル310の記憶内容の一例について説明する。鍵管理テーブル310は、例えば、図3に示した情報処理装置100のメモリ302や記録媒体305などの記憶領域により実現される。 (Stored contents of key management table 310)
Next, an example of the storage contents of the key management table 310 will be explained using FIG. 4. The key management table 310 is realized, for example, by a storage area such as the memory 302 or the recording medium 305 of the information processing apparatus 100 shown in FIG. 3.
 図4は、鍵管理テーブル310の記憶内容の一例を示す説明図である。図4に示すように、鍵管理テーブル310は、プラグインIDと、保護検証鍵と、預託署名鍵と、オリジナル検証鍵とのフィールドを有する。鍵管理テーブル310は、署名側装置202ごとに各フィールドに情報を設定することにより、鍵管理情報がレコード400-aとして記憶される。aは、任意の整数である。 FIG. 4 is an explanatory diagram showing an example of the stored contents of the key management table 310. As shown in FIG. 4, the key management table 310 has fields of plug-in ID, protection verification key, escrow signature key, and original verification key. In the key management table 310, key management information is stored as a record 400-a by setting information in each field for each signing device 202. a is any integer.
 プラグインIDのフィールドには、署名側装置202が有するブラウザプラグインを識別する識別情報であるプラグインIDが設定される。保護検証鍵のフィールドには、保護検証鍵が設定される。保護検証鍵のフィールドには、例えば、上記署名側装置202に提供される保護署名鍵に対応する保護検証鍵が設定される。保護検証鍵は、例えば、鍵管理装置201から提供される。 A plug-in ID, which is identification information for identifying the browser plug-in possessed by the signing device 202, is set in the plug-in ID field. A protection verification key is set in the protection verification key field. For example, a protection verification key corresponding to the protection signature key provided to the signing device 202 is set in the protection verification key field. The protection verification key is provided, for example, from the key management device 201.
 預託署名鍵のフィールドには、預託署名鍵が設定される。預託署名鍵のフィールドには、例えば、上記署名側装置202に提供される保護署名鍵と組み合わせられる預託署名鍵が設定される。預託署名鍵は、例えば、鍵管理装置201から提供される。オリジナル検証鍵のフィールドには、オリジナル検証鍵が設定される。オリジナル検証鍵のフィールドには、例えば、上記署名側装置202に提供される保護署名鍵と上記預託署名鍵との組み合わせと同一の署名を生成可能にするオリジナル検証鍵が設定される。オリジナル検証鍵は、例えば、鍵管理装置201から提供される。 The escrow signature key is set in the escrow signature key field. In the escrow signature key field, for example, a escrow signature key to be combined with the protected signature key provided to the signing device 202 is set. The escrow signature key is provided, for example, from the key management device 201. The original verification key is set in the original verification key field. In the original verification key field, for example, an original verification key that enables generation of the same signature as the combination of the protected signature key provided to the signing device 202 and the escrow signature key is set. The original verification key is provided, for example, from the key management device 201.
(鍵管理装置201のハードウェア構成例)
 次に、図5を用いて、鍵管理装置201のハードウェア構成例について説明する。 (Example of hardware configuration of key management device 201)
Next, an example of the hardware configuration of the key management device 201 will be described using FIG. 5.
 図5は、鍵管理装置201のハードウェア構成例を示すブロック図である。図5において、鍵管理装置201は、CPU501と、メモリ502と、ネットワークI/F503と、記録媒体I/F504と、記録媒体505とを有する。また、各構成部は、バス500によってそれぞれ接続される。 FIG. 5 is a block diagram showing an example of the hardware configuration of the key management device 201. In FIG. 5, the key management device 201 includes a CPU 501, a memory 502, a network I/F 503, a recording medium I/F 504, and a recording medium 505. Further, each component is connected to each other by a bus 500.
 鍵管理装置201のハードウェア構成例は、具体的には、情報処理装置100のハードウェア構成例と同様であるが、メモリ502の記憶内容が、メモリ302の記憶内容とは異なる。メモリ502は、例えば、いずれかの署名側装置202について自装置で生成された、保護鍵ペアと、預託鍵ペアと、オリジナル鍵ペアとを対応付けて記憶する。メモリ502は、例えば、預託鍵ペアのうち、預託検証鍵を記憶していなくてもよい。メモリ502は、例えば、オリジナル鍵ペアのうち、オリジナル署名鍵を破棄していてもよい。 The example hardware configuration of the key management device 201 is specifically the same as the example hardware configuration of the information processing device 100, but the storage contents of the memory 502 are different from the storage contents of the memory 302. The memory 502 stores, for example, a protection key pair, an entrusted key pair, and an original key pair generated by the signing device 202 in association with each other. For example, the memory 502 does not need to store the escrow verification key among the escrow key pair. For example, the memory 502 may discard the original signature key from the original key pair.
(署名側装置202のハードウェア構成例)
 次に、図6を用いて、図2に示した署名制御システム200に含まれる署名側装置202のハードウェア構成例について説明する。 (Example of hardware configuration of signing device 202)
Next, an example of the hardware configuration of the signing device 202 included in the signature control system 200 shown in FIG. 2 will be described using FIG. 6.
 図6は、署名側装置202のハードウェア構成例を示すブロック図である。図6において、署名側装置202は、CPU601と、メモリ602と、ネットワークI/F603と、記録媒体I/F604と、記録媒体605と、ディスプレイ606と、入力装置607とを有する。また、各構成部は、バス600によってそれぞれ接続される。 FIG. 6 is a block diagram showing an example of the hardware configuration of the signing device 202. In FIG. 6, the signature side device 202 includes a CPU 601, a memory 602, a network I/F 603, a recording medium I/F 604, a recording medium 605, a display 606, and an input device 607. Further, each component is connected to each other by a bus 600.
 ここで、CPU601は、署名側装置202の全体の制御を司る。メモリ602は、例えば、ROM、RAMおよびフラッシュROMなどを有する。具体的には、例えば、フラッシュROMやROMが各種プログラムを記憶し、RAMがCPU601のワークエリアとして使用される。メモリ602に記憶されるプログラムは、CPU601にロードされることにより、コーディングされている処理をCPU601に実行させる。メモリ602は、例えば、自装置に提供された保護鍵ペアを記憶する。メモリ602は、例えば、保護鍵ペアのうち、保護検証鍵を記憶していなくてもよい。 Here, the CPU 601 is in charge of overall control of the signature side device 202. Memory 602 includes, for example, ROM, RAM, flash ROM, and the like. Specifically, for example, a flash ROM or ROM stores various programs, and a RAM is used as a work area for the CPU 601. The program stored in the memory 602 is loaded into the CPU 601 and causes the CPU 601 to execute the coded processing. The memory 602 stores, for example, a protection key pair provided to the device itself. For example, the memory 602 does not need to store the protection verification key among the protection key pair.
 ネットワークI/F603は、通信回線を通じてネットワーク210に接続され、ネットワーク210を介して他のコンピュータに接続される。そして、ネットワークI/F603は、ネットワーク210と内部のインターフェースを司り、他のコンピュータからのデータの入出力を制御する。ネットワークI/F603は、例えば、モデムやLANアダプタなどである。 The network I/F 603 is connected to a network 210 through a communication line, and is connected to other computers via the network 210. The network I/F 603 serves as an internal interface with the network 210, and controls data input/output from other computers. The network I/F 603 is, for example, a modem or a LAN adapter.
 記録媒体I/F604は、CPU601の制御に従って記録媒体605に対するデータのリード/ライトを制御する。記録媒体I/F604は、例えば、ディスクドライブ、SSD、USBポートなどである。記録媒体605は、記録媒体I/F604の制御で書き込まれたデータを記憶する不揮発メモリである。記録媒体605は、例えば、ディスク、半導体メモリ、USBメモリなどである。記録媒体605は、署名側装置202から着脱可能であってもよい。 The recording medium I/F 604 controls data read/write to the recording medium 605 under the control of the CPU 601. The recording medium I/F 604 is, for example, a disk drive, SSD, or USB port. The recording medium 605 is a nonvolatile memory that stores data written under the control of the recording medium I/F 604. The recording medium 605 is, for example, a disk, a semiconductor memory, a USB memory, or the like. The recording medium 605 may be removable from the signing device 202.
 ディスプレイ606は、カーソル、アイコンあるいはツールボックスをはじめ、文書、画像、機能情報などのデータを表示する。ディスプレイ606は、例えば、CRT(Cathode Ray Tube)、液晶ディスプレイ、有機EL(Electroluminescence)ディスプレイなどである。入力装置607は、文字、数字、各種指示などの入力のためのキーを有し、データの入力を行う。入力装置607は、キーボードやマウスなどであってもよく、また、タッチパネル式の入力パッドやテンキーなどであってもよい。 The display 606 displays data such as a cursor, icons, or toolboxes, as well as documents, images, and functional information. The display 606 is, for example, a CRT (Cathode Ray Tube), a liquid crystal display, an organic EL (Electroluminescence) display, or the like. The input device 607 has keys for inputting characters, numbers, various instructions, etc., and inputs data. The input device 607 may be a keyboard, a mouse, or the like, or may be a touch panel type input pad, a numeric keypad, or the like.
 署名側装置202は、上述した構成部のほか、例えば、プリンタ、スキャナ、マイク、スピーカーなどを有してもよい。また、署名側装置202は、記録媒体I/F604や記録媒体605を複数有していてもよい。また、署名側装置202は、記録媒体I/F604や記録媒体605を有していなくてもよい。 In addition to the components described above, the signature side device 202 may include, for example, a printer, a scanner, a microphone, a speaker, and the like. Further, the signature side device 202 may have a plurality of recording medium I/Fs 604 and recording media 605. Further, the signature side device 202 does not need to have the recording medium I/F 604 or the recording medium 605.
(検証側装置203のハードウェア構成例)
 次に、図7を用いて、図2に示した署名制御システム200に含まれる検証側装置203のハードウェア構成例について説明する。 (Example of hardware configuration of verification side device 203)
Next, an example of the hardware configuration of the verification side device 203 included in the signature control system 200 shown in FIG. 2 will be described using FIG. 7.
 図7は、検証側装置203のハードウェア構成例を示すブロック図である。図7において、検証側装置203は、CPU701と、メモリ702と、ネットワークI/F703と、記録媒体I/F704と、記録媒体705と、ディスプレイ706と、入力装置707とを有する。また、各構成部は、バス700によってそれぞれ接続される。 FIG. 7 is a block diagram showing an example of the hardware configuration of the verification side device 203. In FIG. 7, the verification side device 203 includes a CPU 701, a memory 702, a network I/F 703, a recording medium I/F 704, a recording medium 705, a display 706, and an input device 707. Further, each component is connected to each other by a bus 700.
 検証側装置203のハードウェア構成例は、具体的には、署名側装置202のハードウェア構成例と同様であるが、メモリ702の記憶内容が、メモリ602の記憶内容とは異なる。メモリ702は、例えば、自装置に提供されたオリジナル検証鍵を記憶する。 Specifically, the hardware configuration example of the verification side device 203 is similar to the hardware configuration example of the signature side device 202, but the storage contents of the memory 702 are different from the storage contents of the memory 602. The memory 702 stores, for example, the original verification key provided to the device itself.
 ここで、CPU701は、検証側装置203の全体の制御を司る。メモリ702は、例えば、ROM、RAMおよびフラッシュROMなどを有する。具体的には、例えば、フラッシュROMやROMが各種プログラムを記憶し、RAMがCPU701のワークエリアとして使用される。メモリ702に記憶されるプログラムは、CPU701にロードされることにより、コーディングされている処理をCPU701に実行させる。 Here, the CPU 701 is in charge of overall control of the verification side device 203. Memory 702 includes, for example, ROM, RAM, flash ROM, and the like. Specifically, for example, a flash ROM or ROM stores various programs, and a RAM is used as a work area for the CPU 701. The program stored in the memory 702 is loaded into the CPU 701 and causes the CPU 701 to execute the coded processing.
 ネットワークI/F703は、通信回線を通じてネットワーク210に接続され、ネットワーク210を介して他のコンピュータに接続される。そして、ネットワークI/F703は、ネットワーク210と内部のインターフェースを司り、他のコンピュータからのデータの入出力を制御する。ネットワークI/F703は、例えば、モデムやLANアダプタなどである。 The network I/F 703 is connected to a network 210 through a communication line, and is connected to other computers via the network 210. The network I/F 703 serves as an internal interface with the network 210, and controls data input/output from other computers. The network I/F 703 is, for example, a modem or a LAN adapter.
 記録媒体I/F704は、CPU701の制御に従って記録媒体705に対するデータのリード/ライトを制御する。記録媒体I/F704は、例えば、ディスクドライブ、SSD、USBポートなどである。記録媒体705は、記録媒体I/F704の制御で書き込まれたデータを記憶する不揮発メモリである。記録媒体705は、例えば、ディスク、半導体メモリ、USBメモリなどである。記録媒体705は、検証側装置203から着脱可能であってもよい。 The recording medium I/F 704 controls data read/write to the recording medium 705 under the control of the CPU 701. The recording medium I/F 704 is, for example, a disk drive, an SSD, a USB port, or the like. The recording medium 705 is a nonvolatile memory that stores data written under the control of the recording medium I/F 704. The recording medium 705 is, for example, a disk, a semiconductor memory, a USB memory, or the like. The recording medium 705 may be removable from the verification device 203.
 ディスプレイ706は、カーソル、アイコンあるいはツールボックスをはじめ、文書、画像、機能情報などのデータを表示する。ディスプレイ706は、例えば、CRT(Cathode Ray Tube)、液晶ディスプレイ、有機EL(Electroluminescence)ディスプレイなどである。入力装置707は、文字、数字、各種指示などの入力のためのキーを有し、データの入力を行う。入力装置707は、キーボードやマウスなどであってもよく、また、タッチパネル式の入力パッドやテンキーなどであってもよい。 The display 706 displays data such as a cursor, icons, or toolboxes, as well as documents, images, and functional information. The display 706 is, for example, a CRT (Cathode Ray Tube), a liquid crystal display, an organic EL (Electroluminescence) display, or the like. The input device 707 has keys for inputting characters, numbers, various instructions, etc., and inputs data. The input device 707 may be a keyboard, a mouse, or the like, or may be a touch panel type input pad, a numeric keypad, or the like.
 検証側装置203は、上述した構成部のほか、例えば、プリンタ、スキャナ、マイク、スピーカーなどを有してもよい。また、検証側装置203は、記録媒体I/F704や記録媒体705を複数有していてもよい。また、検証側装置203は、記録媒体I/F704や記録媒体705を有していなくてもよい。 In addition to the components described above, the verification-side device 203 may include, for example, a printer, a scanner, a microphone, a speaker, and the like. Further, the verification side device 203 may have a plurality of recording medium I/Fs 704 and recording media 705. Further, the verification side device 203 does not need to have the recording medium I/F 704 or the recording medium 705.
(署名制御システム200の機能的構成例)
 次に、図8を用いて、署名制御システム200の機能的構成例について説明する。 (Functional configuration example of signature control system 200)
Next, an example of the functional configuration of the signature control system 200 will be described using FIG. 8.
 図8は、署名制御システム200の機能的構成例を示すブロック図である。署名制御システム200は、例えば、管理装置801と、第1装置802と、情報処理装置100と、第2装置803とを含むシステムである。管理装置801は、例えば、図2に示した鍵管理装置201である。以下の説明では、管理装置801が「鍵管理装置201」であるとする。 FIG. 8 is a block diagram showing an example of the functional configuration of the signature control system 200. The signature control system 200 is a system including, for example, a management device 801, a first device 802, an information processing device 100, and a second device 803. The management device 801 is, for example, the key management device 201 shown in FIG. 2. In the following description, it is assumed that the management device 801 is the "key management device 201."
 また、第1装置802は、例えば、図2に示した署名側装置202である。以下の説明では、第1装置802が「署名側装置202」であるとする。第2装置803は、例えば、図2に示した検証側装置203である。以下の説明では、第2装置803が「検証側装置203」であるとする。管理装置801が、第1装置802と同一の装置である場合があってもよい。 Further, the first device 802 is, for example, the signing device 202 shown in FIG. 2. In the following description, it is assumed that the first device 802 is the "signing device 202." The second device 803 is, for example, the verification device 203 shown in FIG. 2. In the following description, it is assumed that the second device 803 is the "verification side device 203." The management device 801 may be the same device as the first device 802.
 鍵管理装置201は、第1記憶部810と、第1取得部811と、第1生成部812と、第1出力部813とを含む。 The key management device 201 includes a first storage unit 810, a first acquisition unit 811, a first generation unit 812, and a first output unit 813.
 第1記憶部810は、例えば、図5に示したメモリ502や記録媒体505などの記憶領域によって実現される。以下では、第1記憶部810が、鍵管理装置201に含まれる場合について説明するが、これに限らない。例えば、第1記憶部810が、鍵管理装置201とは異なる装置に含まれ、第1記憶部810の記憶内容が鍵管理装置201から参照可能である場合があってもよい。 The first storage unit 810 is realized, for example, by a storage area such as the memory 502 or the recording medium 505 shown in FIG. Although a case will be described below in which the first storage unit 810 is included in the key management device 201, the present invention is not limited to this. For example, the first storage unit 810 may be included in a device different from the key management device 201, and the stored contents of the first storage unit 810 may be referenced by the key management device 201.
 第1取得部811~第1出力部813は、鍵管理装置201の制御部の一例として機能する。第1取得部811~第1出力部813は、具体的には、例えば、図5に示したメモリ502や記録媒体505などの記憶領域に記憶されたプログラムをCPU501に実行させることにより、または、ネットワークI/F503により、その機能を実現する。各機能部の処理結果は、例えば、図5に示したメモリ502や記録媒体505などの記憶領域に記憶される。 The first acquisition unit 811 to first output unit 813 function as an example of a control unit of the key management device 201. Specifically, the first acquisition unit 811 to the first output unit 813, for example, cause the CPU 501 to execute a program stored in a storage area such as the memory 502 or the recording medium 505 shown in FIG. The network I/F 503 realizes this function. The processing results of each functional unit are stored in a storage area such as the memory 502 or the recording medium 505 shown in FIG. 5, for example.
 第1記憶部810は、各機能部の処理において参照され、または更新される各種情報を記憶する。第1記憶部810は、所定の署名側装置202に提供する署名鍵、または、検証鍵を記憶する。署名鍵は、例えば、秘密鍵によって実現される。検証鍵は、例えば、公開鍵によって実現される。 The first storage unit 810 stores various information that is referenced or updated in the processing of each functional unit. The first storage unit 810 stores a signature key or a verification key to be provided to a predetermined signing device 202. The signature key is realized by, for example, a private key. The verification key is realized by, for example, a public key.
 第1記憶部810は、例えば、所定の署名側装置202に提供する元署名鍵を記憶する。元署名鍵は、例えば、オリジナル署名鍵に対応する。元署名鍵は、例えば、第1生成部812によって生成される。第1記憶部810は、例えば、所定の署名側装置202に提供する、元署名鍵に対応する元検証鍵を記憶する。元検証鍵は、元署名鍵による署名を検証可能である。元検証鍵は、例えば、オリジナル検証鍵に対応する。元検証鍵は、例えば、第1生成部812によって生成される。 The first storage unit 810 stores, for example, an original signature key to be provided to a predetermined signing device 202. The original signature key corresponds to, for example, the original signature key. The original signature key is generated by the first generation unit 812, for example. The first storage unit 810 stores, for example, an original verification key corresponding to an original signature key provided to a predetermined signing device 202. The original verification key can verify the signature by the original signature key. The original verification key corresponds to, for example, the original verification key. The original verification key is generated by the first generation unit 812, for example.
 第1記憶部810は、例えば、所定の署名側装置202に提供する第1署名鍵を記憶する。第1署名鍵は、例えば、保護署名鍵に対応する。第1署名鍵は、例えば、第1生成部812によって生成される。第1署名鍵は、第1署名を生成可能にする。第1記憶部810は、例えば、所定の署名側装置202に提供する、第1署名鍵に対応する第1検証鍵を記憶する。第1検証鍵は、第1署名鍵による署名を検証可能である。第1検証鍵は、例えば、保護検証鍵に対応する。第1検証鍵は、例えば、第1生成部812によって生成される。 The first storage unit 810 stores, for example, a first signature key to be provided to a predetermined signing device 202. The first signature key corresponds to, for example, a protected signature key. The first signature key is generated by the first generation unit 812, for example. The first signature key enables generation of the first signature. The first storage unit 810 stores, for example, a first verification key corresponding to a first signature key provided to a predetermined signing device 202. The first verification key is capable of verifying the signature by the first signature key. The first verification key corresponds to, for example, a protection verification key. The first verification key is generated by the first generation unit 812, for example.
 第1記憶部810は、例えば、所定の署名側装置202に提供する第2署名鍵を記憶する。第2署名鍵は、例えば、預託署名鍵に対応する。第2署名鍵は、例えば、第1生成部812によって生成される。第2署名鍵は、第2署名を生成可能にする。第1記憶部810は、例えば、所定の署名側装置202に提供する、第2署名鍵に対応する第2検証鍵を記憶する。第2検証鍵は、第2署名鍵による署名を検証可能である。第2検証鍵は、例えば、預託検証鍵に対応する。第2検証鍵は、例えば、第1生成部812によって生成される。 The first storage unit 810 stores, for example, a second signature key to be provided to a predetermined signing device 202. The second signature key corresponds to, for example, the escrow signature key. The second signature key is generated by the first generation unit 812, for example. The second signature key allows a second signature to be generated. The first storage unit 810 stores, for example, a second verification key corresponding to a second signature key provided to a predetermined signing device 202. The second verification key is capable of verifying the signature by the second signature key. The second verification key corresponds to, for example, the escrow verification key. The second verification key is generated by the first generation unit 812, for example.
 第1取得部811は、各機能部の処理に用いられる各種情報を取得する。第1取得部811は、取得した各種情報を、第1記憶部810に記憶し、または、各機能部に出力する。また、第1取得部811は、第1記憶部810に記憶しておいた各種情報を、各機能部に出力してもよい。第1取得部811は、例えば、利用者の操作入力に基づき、各種情報を取得する。第1取得部811は、例えば、鍵管理装置201とは異なる装置から、各種情報を受信してもよい。 The first acquisition unit 811 acquires various information used in the processing of each functional unit. The first acquisition unit 811 stores the acquired various information in the first storage unit 810 or outputs it to each functional unit. Further, the first acquisition unit 811 may output various information stored in the first storage unit 810 to each functional unit. The first acquisition unit 811 acquires various information based on, for example, a user's operation input. The first acquisition unit 811 may receive various information from a device different from the key management device 201, for example.
 第1取得部811は、例えば、所定の署名側装置202に関する鍵生成依頼を取得する。鍵生成依頼は、例えば、所定の署名側装置202の識別情報を含んでいてもよい。第1取得部811は、利用者の操作入力に基づき、鍵生成依頼の入力を受け付ける。第1取得部811は、鍵生成依頼を、所定の署名側装置202から受信してもよい。 The first acquisition unit 811 acquires, for example, a key generation request regarding a predetermined signing device 202. The key generation request may include identification information of a predetermined signing device 202, for example. The first acquisition unit 811 receives an input of a key generation request based on a user's operation input. The first acquisition unit 811 may receive a key generation request from a predetermined signing device 202.
 第1取得部811は、いずれかの機能部の処理を開始する開始トリガーを受け付けてもよい。開始トリガーは、例えば、利用者による所定の操作入力があったことである。開始トリガーは、例えば、他のコンピュータから、所定の情報を受信したことであってもよい。開始トリガーは、例えば、いずれかの機能部が所定の情報を出力したことであってもよい。 The first acquisition unit 811 may receive a start trigger to start processing of any functional unit. The start trigger is, for example, a predetermined operation input by the user. The start trigger may be, for example, receiving predetermined information from another computer. The start trigger may be, for example, that any functional unit outputs predetermined information.
 第1取得部811は、具体的には、鍵生成依頼を取得したことを、第1生成部812の処理を開始する開始トリガーとして受け付ける。 Specifically, the first acquisition unit 811 receives the acquisition of the key generation request as a start trigger for starting the processing of the first generation unit 812.
 第1生成部812は、鍵生成依頼に応じて、署名鍵と検証鍵とを生成する。第1生成部812は、少なくとも、元検証鍵と、第1署名鍵と、第2署名鍵とを生成する。第1生成部812は、元署名鍵を生成してもよい。第1生成部812は、第1検証鍵を生成してもよい。第1生成部812は、第2検証鍵を生成してもよい。 The first generation unit 812 generates a signature key and a verification key in response to a key generation request. The first generation unit 812 generates at least an original verification key, a first signature key, and a second signature key. The first generation unit 812 may generate the original signature key. The first generation unit 812 may generate the first verification key. The first generation unit 812 may generate the second verification key.
 第1生成部812は、例えば、元署名鍵と元検証鍵との組み合わせを生成する。第1生成部812は、例えば、第1署名鍵と第1検証鍵との組み合わせを生成する。第1生成部812は、例えば、第1署名鍵と第2署名鍵との組み合わせが、元署名鍵と同一の署名を生成可能になるよう、第2署名鍵を生成する。これにより、第1生成部812は、元署名鍵を秘匿したまま、元検証鍵で検証可能な、元署名鍵による署名と同一の署名を生成可能にすることができる。 The first generation unit 812 generates, for example, a combination of an original signature key and an original verification key. The first generation unit 812 generates, for example, a combination of a first signature key and a first verification key. The first generation unit 812 generates the second signature key such that, for example, the combination of the first signature key and the second signature key can generate the same signature as the original signature key. Thereby, the first generation unit 812 can generate a signature that is verifiable with the original verification key and is the same as the signature using the original signature key, while keeping the original signature key secret.
 第1出力部813は、少なくともいずれかの機能部の処理結果を出力する。出力形式は、例えば、ディスプレイへの表示、プリンタへの印刷出力、ネットワークI/F503による外部装置への送信、または、メモリ502や記録媒体505などの記憶領域への記憶である。これにより、第1出力部813は、少なくともいずれかの機能部の処理結果を利用者に通知可能にし、鍵管理装置201の利便性の向上を図ることができる。 The first output unit 813 outputs the processing result of at least one of the functional units. The output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 503, or storing in a storage area such as memory 502 or recording medium 505. Thereby, the first output unit 813 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the key management device 201.
 第1出力部813は、第1署名鍵を、署名側装置202に送信する。第1出力部813は、第2署名鍵を、情報処理装置100に送信する。第1出力部813は、第1検証鍵を、情報処理装置100に送信してもよい。第1出力部813は、元検証鍵を、検証側装置203に提供する。第1出力部813は、例えば、元検証鍵を、検証側装置203が取得可能に、署名側装置202、または、情報処理装置100に送信する。 The first output unit 813 transmits the first signature key to the signing device 202. The first output unit 813 transmits the second signature key to the information processing device 100. The first output unit 813 may transmit the first verification key to the information processing device 100. The first output unit 813 provides the original verification key to the verification side device 203. The first output unit 813 transmits, for example, the original verification key to the signature device 202 or the information processing device 100 so that the verification device 203 can obtain it.
 署名側装置202は、第2記憶部820と、第2取得部821と、第2秘匿化部822と、第2署名生成部823と、第2出力部824とを含む。 The signature side device 202 includes a second storage section 820, a second acquisition section 821, a second anonymization section 822, a second signature generation section 823, and a second output section 824.
 第2記憶部820は、例えば、図6に示したメモリ602や記録媒体605などの記憶領域によって実現される。以下では、第2記憶部820が、署名側装置202に含まれる場合について説明するが、これに限らない。例えば、第2記憶部820が、署名側装置202とは異なる装置に含まれ、第2記憶部820の記憶内容が署名側装置202から参照可能である場合があってもよい。 The second storage unit 820 is realized, for example, by a storage area such as the memory 602 or the recording medium 605 shown in FIG. 6. In the following, a case will be described in which the second storage unit 820 is included in the signing device 202, but the present invention is not limited to this. For example, there may be a case in which the second storage unit 820 is included in a device different from the signing device 202, and the storage contents of the second storage unit 820 can be referenced from the signing device 202.
 第2取得部821~第2出力部824は、署名側装置202の制御部の一例として機能する。第2取得部821~第2出力部824は、具体的には、例えば、図6に示したメモリ602や記録媒体605などの記憶領域に記憶されたプログラムをCPU601に実行させることにより、または、ネットワークI/F603により、その機能を実現する。各機能部の処理結果は、例えば、図6に示したメモリ602や記録媒体605などの記憶領域に記憶される。 The second acquisition unit 821 to second output unit 824 function as an example of a control unit of the signing device 202. Specifically, the second acquisition unit 821 to the second output unit 824, for example, cause the CPU 601 to execute a program stored in a storage area such as the memory 602 or the recording medium 605 shown in FIG. The network I/F 603 realizes this function. The processing results of each functional unit are stored in a storage area such as the memory 602 or the recording medium 605 shown in FIG. 6, for example.
 第2記憶部820は、各機能部の処理において参照され、または更新される各種情報を記憶する。第2記憶部820は、第1署名鍵を記憶する。第1署名鍵は、例えば、第2取得部821によって取得される。 The second storage unit 820 stores various information that is referenced or updated in the processing of each functional unit. The second storage unit 820 stores the first signature key. The first signature key is acquired by the second acquisition unit 821, for example.
 第2取得部821は、各機能部の処理に用いられる各種情報を取得する。第2取得部821は、取得した各種情報を、第2記憶部820に記憶し、または、各機能部に出力する。また、第2取得部821は、第2記憶部820に記憶しておいた各種情報を、各機能部に出力してもよい。第2取得部821は、例えば、利用者の操作入力に基づき、各種情報を取得する。第2取得部821は、例えば、署名側装置202とは異なる装置から、各種情報を受信してもよい。 The second acquisition unit 821 acquires various information used in the processing of each functional unit. The second acquisition unit 821 stores the acquired various information in the second storage unit 820 or outputs it to each functional unit. Further, the second acquisition unit 821 may output various information stored in the second storage unit 820 to each functional unit. The second acquisition unit 821 acquires various information based on, for example, a user's operation input. The second acquisition unit 821 may receive various information from a device different from the signing device 202, for example.
 第2取得部821は、例えば、第1署名鍵を取得する。第2取得部821は、具体的には、第1署名鍵を、鍵管理装置201から受信する。 The second acquisition unit 821 acquires, for example, the first signature key. Specifically, the second acquisition unit 821 receives the first signature key from the key management device 201.
 第2取得部821は、例えば、対象データを取得する。対象データは、例えば、検証側装置203に送信されるデータである。対象データは、例えば、秘匿化され、秘匿化データになり得る。対象データは、例えば、署名が付与される。第2取得部821は、具体的には、利用者の操作入力に基づき、対象データの入力を受け付ける。第2取得部821は、具体的には、対象データを、他のコンピュータから受信してもよい。 The second acquisition unit 821 acquires target data, for example. The target data is, for example, data sent to the verification device 203. For example, the target data can be anonymized and become anonymized data. For example, a signature is added to the target data. Specifically, the second acquisition unit 821 receives input of target data based on a user's operation input. Specifically, the second acquisition unit 821 may receive target data from another computer.
 第2取得部821は、例えば、秘匿化データを取得する。第2取得部821は、対象データを取得せずに秘匿化データを取得する。第2取得部821は、具体的には、利用者の操作入力に基づき、秘匿化データの入力を受け付ける。第2取得部821は、具体的には、秘匿化データを、他のコンピュータから受信してもよい。 The second acquisition unit 821 acquires, for example, anonymized data. The second acquisition unit 821 acquires anonymized data without acquiring target data. Specifically, the second acquisition unit 821 receives input of anonymized data based on a user's operation input. Specifically, the second acquisition unit 821 may receive anonymized data from another computer.
 第2取得部821は、例えば、第1署名鍵による第1署名に対する第2署名鍵による第2署名を取得する。第2取得部821は、具体的には、第2署名を、情報処理装置100から受信する。第2取得部821は、具体的には、第1署名を、情報処理装置100に送信したことに応じて、第2署名を、情報処理装置100から受信する。 The second acquisition unit 821 acquires, for example, a second signature based on the second signature key for a first signature based on the first signature key. Specifically, the second acquisition unit 821 receives the second signature from the information processing device 100. Specifically, the second acquisition unit 821 receives the second signature from the information processing device 100 in response to transmitting the first signature to the information processing device 100 .
 第2取得部821は、いずれかの機能部の処理を開始する開始トリガーを受け付けてもよい。開始トリガーは、例えば、利用者による所定の操作入力があったことである。開始トリガーは、例えば、他のコンピュータから、所定の情報を受信したことであってもよい。開始トリガーは、例えば、いずれかの機能部が所定の情報を出力したことであってもよい。 The second acquisition unit 821 may receive a start trigger that starts processing of any of the functional units. The start trigger is, for example, a predetermined operation input by the user. The start trigger may be, for example, receiving predetermined information from another computer. The start trigger may be, for example, that any functional unit outputs predetermined information.
 第2取得部821は、例えば、対象データを取得したことを、第2秘匿化部822の処理を開始する開始トリガーとして受け付ける。第2取得部821は、例えば、秘匿化データを取得したことを、第2署名生成部823の処理を開始する開始トリガーとして受け付ける。 The second acquisition unit 821 receives, for example, the acquisition of the target data as a start trigger for starting the process of the second anonymization unit 822. The second acquisition unit 821 receives, for example, the acquisition of anonymized data as a start trigger for starting the processing of the second signature generation unit 823.
 第2秘匿化部822は、対象データに対して秘匿化処理を実施し、秘匿化データを生成する。秘匿化処理は、例えば、ハッシュ値の算出処理である。第2秘匿化部822は、対象データのハッシュ値を、秘匿化データとして生成する。これにより、第2秘匿化部822は、対象データの漏洩を防止しつつ、対象データに付与する署名を生成可能にすることができる。 The second anonymization unit 822 performs an anonymization process on the target data and generates anonymization data. The anonymization process is, for example, a hash value calculation process. The second anonymization unit 822 generates a hash value of the target data as anonymization data. Thereby, the second anonymization unit 822 can generate a signature to be added to the target data while preventing leakage of the target data.
 第2署名生成部823は、秘匿化データに対する第1署名鍵による第1署名を生成する。第2署名生成部823は、署名関数に、秘匿化データと第1署名鍵とを入力することにより、第1署名を生成する。これにより、第2署名生成部823は、元署名鍵による署名と同一の署名を生成可能にする一要素を取得することができる。 The second signature generation unit 823 generates a first signature using the first signature key for the anonymized data. The second signature generation unit 823 generates a first signature by inputting the anonymized data and the first signature key into the signature function. Thereby, the second signature generation unit 823 can acquire one element that enables generation of the same signature as the signature using the original signature key.
 第2出力部824は、少なくともいずれかの機能部の処理結果を出力する。出力形式は、例えば、ディスプレイへの表示、プリンタへの印刷出力、ネットワークI/F603による外部装置への送信、または、メモリ602や記録媒体605などの記憶領域への記憶である。これにより、第2出力部824は、少なくともいずれかの機能部の処理結果を利用者に通知可能にし、署名側装置202の利便性の向上を図ることができる。 The second output unit 824 outputs the processing result of at least one of the functional units. The output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 603, or storing in a storage area such as memory 602 or recording medium 605. Thereby, the second output unit 824 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the signature side device 202.
 第2出力部824は、例えば、第1署名を、情報処理装置100に送信する。第2出力部824は、具体的には、第1署名を付与した秘匿化データを、情報処理装置100に送信する。これにより、第2出力部824は、第2署名を、情報処理装置100で生成可能にすることができる。 The second output unit 824 transmits the first signature to the information processing device 100, for example. Specifically, the second output unit 824 transmits the anonymized data to which the first signature is attached to the information processing device 100. Thereby, the second output unit 824 can enable the information processing apparatus 100 to generate the second signature.
 第2出力部824は、例えば、第2署名を、検証側装置203に送信する。第2出力部824は、具体的には、第2署名を付与した対象データを、検証側装置203に送信する。これにより、第2出力部824は、対象データを、検証側装置203で第2署名に基づいて検証可能にすることができる。 The second output unit 824 transmits the second signature to the verification side device 203, for example. Specifically, the second output unit 824 transmits the target data to which the second signature has been added to the verification side device 203. Thereby, the second output unit 824 can make the target data verifiable by the verification device 203 based on the second signature.
 情報処理装置100は、第3記憶部830と、第3取得部831と、第3検証部832と、第3署名生成部833と、第3出力部834とを含む。 The information processing device 100 includes a third storage unit 830, a third acquisition unit 831, a third verification unit 832, a third signature generation unit 833, and a third output unit 834.
 第3記憶部830は、例えば、図3に示したメモリ302や記録媒体305などの記憶領域によって実現される。以下では、第3記憶部830が、情報処理装置100に含まれる場合について説明するが、これに限らない。例えば、第3記憶部830が、情報処理装置100とは異なる装置に含まれ、第3記憶部830の記憶内容が情報処理装置100から参照可能である場合があってもよい。 The third storage unit 830 is realized, for example, by a storage area such as the memory 302 or the recording medium 305 shown in FIG. 3. Although a case will be described below in which the third storage unit 830 is included in the information processing device 100, the present invention is not limited to this. For example, there may be a case in which the third storage unit 830 is included in a device different from the information processing device 100, and the storage contents of the third storage unit 830 can be referenced from the information processing device 100.
 第3取得部831~第3出力部834は、制御部の一例として機能する。第3取得部831~第3出力部834は、具体的には、例えば、図3に示したメモリ302や記録媒体305などの記憶領域に記憶されたプログラムをCPU301に実行させることにより、または、ネットワークI/F303により、その機能を実現する。各機能部の処理結果は、例えば、図3に示したメモリ302や記録媒体305などの記憶領域に記憶される。 The third acquisition unit 831 to third output unit 834 function as an example of a control unit. Specifically, the third acquisition unit 831 to the third output unit 834, for example, cause the CPU 301 to execute a program stored in a storage area such as the memory 302 or the recording medium 305 shown in FIG. The network I/F 303 realizes this function. The processing results of each functional unit are stored in a storage area such as the memory 302 or the recording medium 305 shown in FIG. 3, for example.
 第3記憶部830は、各機能部の処理において参照され、または更新される各種情報を記憶する。第3記憶部830は、例えば、第2署名鍵を記憶する。第2署名鍵は、例えば、第3取得部831によって取得される。 The third storage unit 830 stores various information that is referenced or updated in the processing of each functional unit. The third storage unit 830 stores, for example, the second signature key. The second signature key is acquired by the third acquisition unit 831, for example.
 第3記憶部830は、例えば、第1検証鍵を記憶していてもよい。第1検証鍵は、例えば、第3取得部831によって取得される。 The third storage unit 830 may store the first verification key, for example. The first verification key is acquired by the third acquisition unit 831, for example.
 第3記憶部830は、例えば、元検証鍵を記憶していてもよい。元検証鍵は、例えば、第3取得部831によって取得される。 The third storage unit 830 may store the original verification key, for example. The original verification key is acquired by the third acquisition unit 831, for example.
 第3取得部831は、各機能部の処理に用いられる各種情報を取得する。第3取得部831は、取得した各種情報を、第3記憶部830に記憶し、または、各機能部に出力する。また、第3取得部831は、第3記憶部830に記憶しておいた各種情報を、各機能部に出力してもよい。第3取得部831は、例えば、利用者の操作入力に基づき、各種情報を取得する。第3取得部831は、例えば、情報処理装置100とは異なる装置から、各種情報を受信してもよい。 The third acquisition unit 831 acquires various information used in the processing of each functional unit. The third acquisition unit 831 stores the acquired various information in the third storage unit 830 or outputs it to each functional unit. Further, the third acquisition unit 831 may output various information stored in the third storage unit 830 to each functional unit. The third acquisition unit 831 acquires various information based on, for example, a user's operation input. The third acquisition unit 831 may receive various information from a device different from the information processing device 100, for example.
 第3取得部831は、例えば、第2署名鍵を取得する。第3取得部831は、具体的には、鍵管理装置201から、第2署名鍵を受信する。第3取得部831は、例えば、第1検証鍵を取得してもよい。第3取得部831は、具体的には、鍵管理装置201から、第1検証鍵を受信する。第3取得部831は、例えば、元検証鍵を取得してもよい。第3取得部831は、具体的には、鍵管理装置201から、元検証鍵を受信する。 The third acquisition unit 831 acquires, for example, the second signature key. Specifically, the third acquisition unit 831 receives the second signature key from the key management device 201. The third acquisition unit 831 may acquire the first verification key, for example. Specifically, the third acquisition unit 831 receives the first verification key from the key management device 201. The third acquisition unit 831 may acquire the original verification key, for example. Specifically, the third acquisition unit 831 receives the original verification key from the key management device 201.
 第3取得部831は、例えば、第1署名を取得する。第3取得部831は、具体的には、第1署名を、署名側装置202から受信する。第3取得部831は、具体的には、第1署名が付与された秘匿化データを、署名側装置202から受信してもよい。第3取得部831は、例えば、元検証鍵を取得する。第3取得部831は、具体的には、鍵管理装置201から、元検証鍵を受信する。 The third acquisition unit 831 acquires, for example, the first signature. Specifically, the third acquisition unit 831 receives the first signature from the signing device 202. Specifically, the third acquisition unit 831 may receive the anonymized data to which the first signature is attached from the signing device 202. The third acquisition unit 831 acquires, for example, the original verification key. Specifically, the third acquisition unit 831 receives the original verification key from the key management device 201.
 第3取得部831は、いずれかの機能部の処理を開始する開始トリガーを受け付けてもよい。開始トリガーは、例えば、利用者による所定の操作入力があったことである。開始トリガーは、例えば、他のコンピュータから、所定の情報を受信したことであってもよい。開始トリガーは、例えば、いずれかの機能部が所定の情報を出力したことであってもよい。 The third acquisition unit 831 may receive a start trigger that starts processing of any of the functional units. The start trigger is, for example, a predetermined operation input by the user. The start trigger may be, for example, receiving predetermined information from another computer. The start trigger may be, for example, that any functional unit outputs predetermined information.
 第3取得部831は、例えば、第1署名を取得したことを、第3検証部832と、第3署名生成部833との処理を開始する開始トリガーとして受け付ける。 For example, the third acquisition unit 831 receives the acquisition of the first signature as a start trigger for starting the processing of the third verification unit 832 and the third signature generation unit 833.
 第3検証部832は、取得した第1検証鍵を利用して、受信した第1署名の正当性を判定する。第3検証部832は、例えば、秘匿化データに基づいて、第1検証鍵を利用して、第1署名の正当性を検証する。これにより、第3検証部832は、第2署名を生成してよいか否かを判定することができる。第3検証部832は、第1署名が正当でなければ、第2署名を生成しなくてよいと判定し、第1署名を破棄することができる。第3検証部832は、第2署名を送信してよいか否かを判定してもよい。第3検証部832は、第1署名が正当でなければ、第3署名生成部833で生成した第2署名を破棄することができる。 The third verification unit 832 uses the acquired first verification key to determine the validity of the received first signature. The third verification unit 832 verifies the validity of the first signature, for example, based on the anonymized data and using the first verification key. Thereby, the third verification unit 832 can determine whether or not the second signature may be generated. If the first signature is not valid, the third verification unit 832 can determine that there is no need to generate the second signature and discard the first signature. The third verification unit 832 may determine whether the second signature may be transmitted. The third verification unit 832 can discard the second signature generated by the third signature generation unit 833 if the first signature is not valid.
 第3署名生成部833は、受信した第1署名に対する、取得した第2署名鍵による第2署名を生成する。第3署名生成部833は、例えば、署名関数に、第1署名と第2署名鍵とを入力することにより、第2署名を生成する。これにより、第3署名生成部833は、元署名鍵による署名と同一の署名となる第2署名を生成することができる。このため、第3署名生成部833は、秘匿化データの真正性を保証可能にすることができる。 The third signature generation unit 833 generates a second signature for the received first signature using the acquired second signature key. The third signature generation unit 833 generates the second signature by inputting the first signature and the second signature key into the signature function, for example. Thereby, the third signature generation unit 833 can generate a second signature that is the same signature as the signature using the original signature key. Therefore, the third signature generation unit 833 can guarantee the authenticity of the anonymized data.
 第3出力部834は、少なくともいずれかの機能部の処理結果を出力する。出力形式は、例えば、ディスプレイへの表示、プリンタへの印刷出力、ネットワークI/F303による外部装置への送信、または、メモリ302や記録媒体305などの記憶領域への記憶である。これにより、第3出力部834は、少なくともいずれかの機能部の処理結果を利用者に通知可能にし、情報処理装置100の利便性の向上を図ることができる。 The third output unit 834 outputs the processing result of at least one of the functional units. The output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 303, or storing in a storage area such as memory 302 or recording medium 305. Thereby, the third output unit 834 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the information processing apparatus 100.
 第3出力部834は、生成した第2署名を、署名側装置202に送信する。これにより、第3出力部834は、秘匿化データの真正性を、署名側装置202で保証可能にすることができる。第3出力部834は、取得した元検証鍵を、検証側装置203に送信してもよい。これにより、第3出力部834は、第2署名を、検証側装置203で検証可能にすることができる。 The third output unit 834 transmits the generated second signature to the signing device 202. Thereby, the third output unit 834 can enable the signature side device 202 to guarantee the authenticity of the anonymized data. The third output unit 834 may transmit the acquired original verification key to the verification side device 203. Thereby, the third output unit 834 can make the second signature verifiable by the verification device 203.
 検証側装置203は、第4記憶部840と、第4取得部841と、第4検証部842と、第4出力部843とを含む。 The verification device 203 includes a fourth storage section 840, a fourth acquisition section 841, a fourth verification section 842, and a fourth output section 843.
 第4記憶部840は、例えば、図7に示したメモリ702や記録媒体705などの記憶領域によって実現される。以下では、第4記憶部840が、検証側装置203に含まれる場合について説明するが、これに限らない。例えば、第4記憶部840が、検証側装置203とは異なる装置に含まれ、第4記憶部840の記憶内容が検証側装置203から参照可能である場合があってもよい。 The fourth storage unit 840 is realized, for example, by a storage area such as the memory 702 or the recording medium 705 shown in FIG. 7. In the following, a case will be described in which the fourth storage unit 840 is included in the verification side device 203, but the present invention is not limited to this. For example, there may be a case in which the fourth storage unit 840 is included in a device different from the verification device 203, and the storage contents of the fourth storage device 840 can be referenced from the verification device 203.
 第4取得部841~第4出力部843は、制御部の一例として機能する。第4取得部841~第4出力部843は、具体的には、例えば、図7に示したメモリ702や記録媒体705などの記憶領域に記憶されたプログラムをCPU701に実行させることにより、または、ネットワークI/F703により、その機能を実現する。各機能部の処理結果は、例えば、図7に示したメモリ702や記録媒体705などの記憶領域に記憶される。 The fourth acquisition unit 841 to fourth output unit 843 function as an example of a control unit. Specifically, the fourth acquisition unit 841 to the fourth output unit 843, for example, cause the CPU 701 to execute a program stored in a storage area such as the memory 702 or the recording medium 705 shown in FIG. The network I/F 703 realizes this function. The processing results of each functional unit are stored in a storage area such as the memory 702 or the recording medium 705 shown in FIG. 7, for example.
 第4記憶部840は、各機能部の処理において参照され、または更新される各種情報を記憶する。第4記憶部840は、例えば、元検証鍵を記憶する。元検証鍵は、第4取得部841によって取得される。 The fourth storage unit 840 stores various information that is referenced or updated in the processing of each functional unit. The fourth storage unit 840 stores, for example, the original verification key. The original verification key is acquired by the fourth acquisition unit 841.
 第4取得部841は、各機能部の処理に用いられる各種情報を取得する。第4取得部841は、取得した各種情報を、第4記憶部840に記憶し、または、各機能部に出力する。また、第4取得部841は、第4記憶部840に記憶しておいた各種情報を、各機能部に出力してもよい。第4取得部841は、例えば、利用者の操作入力に基づき、各種情報を取得する。第4取得部841は、例えば、検証側装置203とは異なる装置から、各種情報を受信してもよい。 The fourth acquisition unit 841 acquires various information used in the processing of each functional unit. The fourth acquisition unit 841 stores the acquired various information in the fourth storage unit 840 or outputs it to each functional unit. Further, the fourth acquisition unit 841 may output various information stored in the fourth storage unit 840 to each functional unit. The fourth acquisition unit 841 acquires various information based on, for example, a user's operation input. The fourth acquisition unit 841 may receive various information from a device different from the verification device 203, for example.
 第4取得部841は、例えば、第2署名を取得する。第4取得部841は、具体的には、第2署名を、署名側装置202から受信する。第4取得部841は、より具体的には、第2署名が付与された対象データを、署名側装置202から受信する。 The fourth acquisition unit 841 acquires, for example, the second signature. Specifically, the fourth acquisition unit 841 receives the second signature from the signing device 202. More specifically, the fourth acquisition unit 841 receives the target data to which the second signature is attached from the signing device 202.
 第4取得部841は、例えば、元検証鍵を取得する。第4取得部841は、例えば、第2署名を取得したことに応じて、元検証鍵を取得してもよい。第4取得部841は、具体的には、元検証鍵を、鍵管理装置201から受信する。第4取得部841は、具体的には、元検証鍵を、情報処理装置100から受信してもよい。第4取得部841は、具体的には、元検証鍵を、署名側装置202から受信してもよい。 The fourth acquisition unit 841 acquires, for example, the original verification key. The fourth acquisition unit 841 may acquire the original verification key, for example, in response to acquiring the second signature. Specifically, the fourth acquisition unit 841 receives the original verification key from the key management device 201. Specifically, the fourth acquisition unit 841 may receive the original verification key from the information processing device 100. Specifically, the fourth acquisition unit 841 may receive the original verification key from the signing device 202.
 第4取得部841は、いずれかの機能部の処理を開始する開始トリガーを受け付けてもよい。開始トリガーは、例えば、利用者による所定の操作入力があったことである。開始トリガーは、例えば、他のコンピュータから、所定の情報を受信したことであってもよい。開始トリガーは、例えば、いずれかの機能部が所定の情報を出力したことであってもよい。 The fourth acquisition unit 841 may receive a start trigger to start processing of any functional unit. The start trigger is, for example, a predetermined operation input by the user. The start trigger may be, for example, receiving predetermined information from another computer. The start trigger may be, for example, that any functional unit outputs predetermined information.
 第4取得部841は、例えば、第2署名と元検証鍵とを取得したことを、第4検証部842の処理を開始する開始トリガーとして受け付ける。 The fourth acquisition unit 841 receives, for example, the acquisition of the second signature and the original verification key as a start trigger for starting the process of the fourth verification unit 842.
 第4検証部842は、第2署名の正当性を検証する。第4検証部842は、例えば、対象データに基づいて、元検証鍵を利用して、第2署名の正当性を検証する。これにより、第4検証部842は、第2署名の正当性により、対象データの真正性を検証することができる。第4検証部842は、第2署名が正当でなければ、対象データが真正ではないと判断し、対象データを破棄することができる。 The fourth verification unit 842 verifies the validity of the second signature. The fourth verification unit 842 verifies the validity of the second signature, for example, based on the target data and using the original verification key. Thereby, the fourth verification unit 842 can verify the authenticity of the target data based on the validity of the second signature. If the second signature is not valid, the fourth verification unit 842 can determine that the target data is not authentic and discard the target data.
 第4出力部843は、少なくともいずれかの機能部の処理結果を出力する。出力形式は、例えば、ディスプレイへの表示、プリンタへの印刷出力、ネットワークI/F703による外部装置への送信、または、メモリ702や記録媒体705などの記憶領域への記憶である。これにより、第4出力部843は、少なくともいずれかの機能部の処理結果を利用者に通知可能にし、検証側装置203の利便性の向上を図ることができる。 The fourth output unit 843 outputs the processing result of at least one of the functional units. The output format is, for example, displaying on a display, printing out to a printer, transmitting to an external device via network I/F 703, or storing in a storage area such as memory 702 or recording medium 705. Thereby, the fourth output unit 843 can notify the user of the processing results of at least one of the functional units, thereby improving the usability of the verification-side device 203.
 第4出力部843は、第2署名の正当性を検証した結果を、利用者が参照可能に出力する。第4出力部843は、例えば、第2署名の正当性を検証した結果を、ディスプレイ706に表示する。これにより、第4出力部843は、第2署名の正当性、および、第2署名の正当性が示唆する対象データの真正性を、利用者が把握可能にすることができる。 The fourth output unit 843 outputs the result of verifying the validity of the second signature so that the user can refer to it. The fourth output unit 843 displays, for example, the result of verifying the validity of the second signature on the display 706. Thereby, the fourth output unit 843 can enable the user to understand the validity of the second signature and the authenticity of the target data suggested by the validity of the second signature.
 第4出力部843は、第2署名が正当であれば、対象データを、利用者が参照可能に出力する。第4出力部843は、例えば、対象データを、ディスプレイ706に表示する。これにより、第4出力部843は、真正である対象データを、利用者が把握可能にすることができる。第4出力部843は、セキュリティの向上を図ることができる。 If the second signature is valid, the fourth output unit 843 outputs the target data so that the user can refer to it. The fourth output unit 843 displays the target data on the display 706, for example. Thereby, the fourth output unit 843 can enable the user to understand the target data that is genuine. The fourth output unit 843 can improve security.
(署名制御システム200の動作例1)
 次に、図9~図11を用いて、署名制御システム200の動作例1について説明する。図9~図11では、具体的には、署名者が、契約書を検証者に提供しようとする際に、契約書を秘匿したまま、契約書に付与する署名を、情報処理装置100から取得したいと考える場合について説明する。 (Operation example 1 of signature control system 200)
Next, operation example 1 of the signature control system 200 will be described using FIGS. 9 to 11. Specifically, in FIGS. 9 to 11, when the signer intends to provide the contract to the verifier, the signer acquires a signature to be added to the contract from the information processing device 100 while keeping the contract confidential. Let me explain when I would like to do so.
 ここで、契約書を秘匿したまま、契約書に付与する署名を生成するために、以下に示すブラインド署名方式が考えられる。まず、図9を用いて、ブラインド署名方式の一例について説明する。その後、図10および図11を用いて、署名制御システム200に、上記ブラインド署名方式を適用する場合における、署名制御システム200の動作例1について説明する。 Here, in order to generate a signature to be added to a contract while keeping the contract confidential, the following blind signature method can be considered. First, an example of a blind signature method will be described using FIG. 9. Thereafter, a first operation example of the signature control system 200 in the case where the blind signature method described above is applied to the signature control system 200 will be explained using FIGS. 10 and 11.
 図9は、ブラインド署名方式の一例を示す説明図である。図9において、オリジナル署名鍵900が存在するとする。オリジナル署名鍵900は、保護署名鍵901と預託署名鍵902との組み合わせに分割可能である。例えば、オリジナル署名鍵900と、保護署名鍵901とに基づいて、保護署名鍵901と組み合わせられる預託署名鍵902が生成可能である。 FIG. 9 is an explanatory diagram showing an example of a blind signature method. In FIG. 9, it is assumed that an original signature key 900 exists. Original signature key 900 can be divided into a combination of protected signature key 901 and escrow signature key 902. For example, based on the original signature key 900 and the protected signature key 901, the escrow signature key 902 to be combined with the protected signature key 901 can be generated.
 契約書910に対する、保護署名鍵901を利用したブラインド(Blind)処理941が規定される。契約書910に対して、保護署名鍵901を利用したブラインド処理941を実施すると、契約書910に対応する秘匿化データ911と、保護署名921とが生成される。秘匿化データ911は、契約書910のハッシュ値である。 Blind processing 941 using the protected signature key 901 is defined for the contract 910. When blind processing 941 using the protected signature key 901 is performed on the contract 910, anonymized data 911 and a protected signature 921 corresponding to the contract 910 are generated. The anonymized data 911 is a hash value of the contract 910.
 ブラインド処理941は、例えば、契約書910を、ハッシュ関数に入力し、契約書910のハッシュ値である秘匿化データ911を生成し、秘匿化データ911と保護署名鍵901とを、署名関数に入力し、保護署名921を生成することである。 In the blind processing 941, for example, the contract 910 is input to a hash function, anonymized data 911 which is a hash value of the contract 910 is generated, and the anonymized data 911 and the protected signature key 901 are input to the signature function. and generate a protection signature 921.
 保護署名921に対する、預託署名鍵902を利用したサイン(Sign)処理942が規定される。保護署名921に対して、預託署名鍵902を利用したサイン処理942を実施すると、預託署名922が生成される。 A signature process 942 using the entrusted signature key 902 is defined for the protected signature 921. When a signature process 942 using the deposited signature key 902 is performed on the protected signature 921, a deposited signature 922 is generated.
 サイン処理942は、例えば、保護署名921と預託署名鍵902とを、署名関数に入力することにより、預託署名922を生成することである。 The signature process 942 is, for example, generating a escrow signature 922 by inputting the protected signature 921 and the escrow signature key 902 into a signature function.
 ここで、契約書910に対して、オリジナル署名鍵900を利用したサイン処理943を実施すれば、オリジナル署名931が生成されると考えられる。預託署名922は、オリジナル署名931と一致するという性質を有する。従って、預託署名922は、オリジナル署名鍵900に対応するオリジナル検証鍵903で検証可能に生成される。 Here, if a signature process 943 using the original signature key 900 is performed on the contract 910, an original signature 931 is considered to be generated. The escrow signature 922 has the property of matching the original signature 931. Therefore, the escrow signature 922 is generated verifiable with the original verification key 903 corresponding to the original signature key 900.
 預託署名922は、ブラインド処理に対応するアンブラインド(Unblind)処理944の実施後に、オリジナル署名931と一致し、オリジナル検証鍵903で検証可能になるよう生成される場合があってもよい。 The escrow signature 922 may be generated so that it matches the original signature 931 and can be verified with the original verification key 903 after performing an unblind process 944 corresponding to the blind process.
 上記ブラインド署名方式は、預託署名922を生成する工程のうち、保護署名鍵901を利用する工程と預託署名鍵902を利用する工程とを、異なるコンピュータで分担可能にすることができる。従って、上記ブラインド署名方式は、署名者が、保護署名鍵901をセキュアに保持し、保護署名鍵901を利用する工程を支配していれば、不正に預託署名922が生成されてしまうことを防止することができると考えられる。 The blind signature method described above can enable different computers to share the process of using the protected signature key 901 and the process of using the escrow signature key 902 in the process of generating the escrow signature 922. Therefore, in the blind signature method described above, if the signer securely holds the protected signature key 901 and controls the process of using the protected signature key 901, the escrow signature 922 can be prevented from being generated fraudulently. It is thought that it is possible to do so.
 また、上記ブラインド署名方式は、預託署名922を生成するにあたって、単体で有効なオリジナル署名鍵900を利用せずに済ませることができる。署名者は、単体で有効ではない保護署名鍵901を管理すればよい。また、署名者は、外部に、単体で有効なオリジナル署名鍵を提供せずに済ませることができる。従って、上記ブラインド署名方式は、セキュリティの向上を図ることができ、署名者にかかる作業負担の低減化を図ることができる。 Additionally, the blind signature method described above can generate the escrow signature 922 without using the original signature key 900, which is valid alone. The signer only has to manage the protected signature key 901, which is not valid on its own. Furthermore, the signer can avoid providing the original signature key, which is valid on its own, to an outside party. Therefore, the blind signature method described above can improve security and reduce the work burden on the signer.
 また、上記ブラインド署名方式は、保護署名鍵901を利用したブラインド処理941によって、契約書910をセキュアに管理し易くすることができる。次に、図10および図11の説明に移行する。 Additionally, the blind signature method described above can facilitate secure management of the contract 910 through blind processing 941 using the protected signature key 901. Next, the explanation will move on to FIGS. 10 and 11.
 図10および図11は、署名制御システム200の動作例1を示す説明図である。図10において、署名側装置202は、ブラウザプラグインを有し、ブラウザプラグインを利用して動作する。検証側装置203は、メーラープラグインを有し、メーラープラグインを利用して動作する。鍵管理装置201は、例えば、署名者によって用いられる。鍵管理装置201は、具体的には、認証処理により、正当な署名者の操作入力を判別して受け付けるとする。情報処理装置100は、Trust as a Serviceを提供する。 FIGS. 10 and 11 are explanatory diagrams showing an example 1 of operation of the signature control system 200. In FIG. 10, the signer device 202 has a browser plug-in and operates using the browser plug-in. The verification side device 203 has a mailer plug-in and operates using the mailer plug-in. The key management device 201 is used, for example, by a signer. Specifically, it is assumed that the key management device 201 determines and accepts the operation input of a valid signer through authentication processing. The information processing device 100 provides Trust as a Service.
 (10-1)鍵管理装置201は、署名者の操作入力に基づき、KeyGen処理1000により、オリジナル鍵ペアを生成する。オリジナル鍵ペアは、オリジナル署名鍵1001とオリジナル検証鍵1002との組み合わせである。 (10-1) The key management device 201 generates an original key pair by the KeyGen process 1000 based on the signer's operation input. The original key pair is a combination of an original signature key 1001 and an original verification key 1002.
 KeyGen処理1000は、例えば、RSA暗号の鍵生成アルゴリズムに従って、(N,e,d)←RSA.Gen(k)を演算することである。鍵管理装置201は、具体的には、(N,e,d)←RSA.Gen(k)を演算し、pk=eをオリジナル検証鍵1002に設定し、Nを公開パラメータに設定し、sk=dをオリジナル署名鍵1001に設定する。 For example, the KeyGen processing 1000 executes (N, e, d)←RSA. This is to calculate Gen(k). Specifically, the key management device 201 stores (N, e, d)←RSA. Gen(k) is calculated, pk=e is set to the original verification key 1002, N is set to the public parameter, and sk=d is set to the original signature key 1001.
 (10-2)鍵管理装置201は、署名者の操作入力に基づき、KeyGen処理1000により、保護鍵ペアを生成する。保護鍵ペアは、保護署名鍵1011と保護検証鍵1012との組み合わせである。鍵管理装置201は、具体的には、(N,e’,d’)←RSA.Gen(k)を演算し、pk=e’を保護検証鍵1012に設定し、Nを公開パラメータに設定し、sk=d’を保護署名鍵1011に設定する。Nは、オリジナル鍵ペアの生成時と共通である。 (10-2) The key management device 201 generates a protection key pair by the KeyGen process 1000 based on the signer's operation input. The protection key pair is a combination of a protection signature key 1011 and a protection verification key 1012. Specifically, the key management device 201 stores (N, e', d')←RSA. Gen(k) is calculated, pk=e' is set to the protection verification key 1012, N is set to the public parameter, and sk=d' is set to the protection signature key 1011. N is the same as when generating the original key pair.
 (10-3)鍵管理装置201は、KeyGen処理1000により、預託鍵ペアを生成する。預託鍵ペアは、預託署名鍵1021と預託検証鍵1022との組み合わせである。鍵管理装置201は、具体的には、d”=d・e’modNを演算し、sk=d”を預託署名鍵1021に設定する。鍵管理装置201は、具体的には、預託署名鍵1021に対応する預託検証鍵1022を生成してもよい。鍵管理装置201は、具体的には、預託署名鍵1021に対応する預託検証鍵1022を生成しなくてもよい。鍵管理装置201は、ハッシュ関数H:{0,1}*→ZNを定義し、署名側装置202と、情報処理装置100とに提供する。 (10-3) The key management device 201 generates an entrusted key pair using the KeyGen process 1000. The escrow key pair is a combination of an escrow signature key 1021 and an escrow verification key 1022. Specifically, the key management device 201 calculates d''=d·e'modN, and sets sk=d'' in the escrow signature key 1021. Specifically, the key management device 201 may generate the escrow verification key 1022 corresponding to the escrow signature key 1021. Specifically, the key management device 201 does not need to generate the escrow verification key 1022 corresponding to the escrow signature key 1021. The key management device 201 defines a hash function H:{0,1} * →Z N and provides it to the signing device 202 and the information processing device 100.
 (10-4)鍵管理装置201は、保護鍵ペアを、署名側装置202に送信する。鍵管理装置201は、オリジナル検証鍵1002と、保護検証鍵1012と、預託署名鍵1021とを、情報処理装置100に送信する。鍵管理装置201は、保護鍵ペアと預託鍵ペアとを生成後であれば、オリジナル署名鍵1001を破棄してもよい。次に、図11の説明に移行する。 (10-4) The key management device 201 sends the protection key pair to the signing device 202. The key management device 201 transmits the original verification key 1002, the protected verification key 1012, and the escrow signature key 1021 to the information processing device 100. The key management device 201 may discard the original signature key 1001 after generating the protection key pair and the entrusted key pair. Next, the description will move on to FIG. 11.
 図11において、(11-1)署名側装置202は、署名者の操作入力に基づき、契約書1100を取得する。署名側装置202は、取得した契約書1100を、メッセージmに設定する。署名側装置202は、メッセージmに対してBlind処理1121を実施する。 In FIG. 11, (11-1) the signing device 202 obtains the contract 1100 based on the signer's operation input. The signing device 202 sets the acquired contract 1100 in the message m. Signing side device 202 performs Blind processing 1121 on message m.
 Blind処理1121は、メッセージmのハッシュ値1101となるm’←H(m)を演算し、保護署名1111となるσ’=RSA.Sign(m’,d’)=(m’)d'modNを演算することである。 Blind processing 1121 calculates m'←H(m), which is the hash value 1101 of message m, and calculates σ'=RSA. which becomes the protected signature 1111. This is to calculate Sign(m', d')=(m') d' mod N.
 署名側装置202は、例えば、メッセージmのハッシュ値1101(m’←H(m))を、ブラインドメッセージとして演算し、保護署名1111(σ’=RSA.Sign(m’,d’)=(m’)d'modN)を演算する。(11-2)署名側装置202は、保護署名1111(σ)を付与したハッシュ値1101(m’)を、情報処理装置100に送信する。 For example, the signing device 202 calculates the hash value 1101 (m'←H(m)) of the message m as a blind message, and creates the protected signature 1111 (σ'=RSA.Sign(m', d')=( m') d' mod N) is calculated. (11-2) The signing device 202 transmits the hash value 1101 (m') to which the protection signature 1111 (σ) has been added to the information processing device 100.
 (11-3)情報処理装置100は、保護署名1111(σ)が付与されたハッシュ値1101(m’)を、署名側装置202から受信する。情報処理装置100は、保護検証鍵1012(d’)を利用して、ハッシュ値1101(m’)に基づいて、保護署名1111(σ)の正当性を検証する。情報処理装置100は、保護署名1111(σ)が正当でなければ、保護署名1111(σ)が付与されたハッシュ値1101(m’)を破棄する。 (11-3) The information processing device 100 receives the hash value 1101 (m') to which the protection signature 1111 (σ) has been added from the signing device 202. The information processing apparatus 100 uses the protection verification key 1012(d') to verify the validity of the protection signature 1111(σ) based on the hash value 1101(m'). If the protection signature 1111(σ) is not valid, the information processing apparatus 100 discards the hash value 1101(m') to which the protection signature 1111(σ) is attached.
 (11-4)情報処理装置100は、保護署名1111(σ)が正当であれば、保護署名1111(d’)に対してSign処理1122を実施する。Sign処理1122は、例えば、預託署名1112となるσ”=RSA.Sign(σ’,d”)=(σ’)d"modNを演算することである。 (11-4) If the protected signature 1111(σ) is valid, the information processing apparatus 100 performs Sign processing 1122 on the protected signature 1111(d'). The Sign processing 1122 is, for example, calculating σ"=RSA.Sign(σ', d")=(σ') d" mod N, which is the escrow signature 1112.
 情報処理装置100は、例えば、預託署名1112(σ”=RSA.Sign(σ’,d”)=(σ’)d"modN)を演算する。ここで、σ”は、(H(m)d'd"=(H(m))dとなり、オリジナル署名鍵1001を利用したオリジナル署名σと一致する。(11-5)情報処理装置100は、預託署名1112を、署名側装置202に送信する。 The information processing device 100 calculates, for example, the escrow signature 1112 (σ"=RSA.Sign(σ', d")=(σ') d" mod N). Here, σ" is (H(m) d' ) d" = (H(m)) d , which matches the original signature σ using the original signature key 1001. (11-5) The information processing device 100 sends the entrusted signature 1112 to the signing device 202. Send.
 (11-6)署名側装置202は、預託署名1112を、情報処理装置100から受信する。署名側装置202は、預託署名1112に対して、Blind処理1121に対応するUnblind処理1123を実施し、オリジナル署名1113を取得する。Unblind処理1123は、例えば、Blind処理1121に対応するパラメータrに基づいて実施される。 (11-6) The signing device 202 receives the deposited signature 1112 from the information processing device 100. The signing device 202 performs an unblind process 1123 corresponding to the blind process 1121 on the deposited signature 1112 to obtain an original signature 1113. The unblind process 1123 is performed based on the parameter r corresponding to the blind process 1121, for example.
 Unblind処理1123の処理内容は、具体的には、Blind処理1121の処理内容に応じて規定される。このため、Blind処理1121の処理内容によっては、Unblind処理1123は、預託署名1112に対して、何らの処理も実施せず、預託署名1112をそのままオリジナル署名1113に設定する場合があってもよい。 Specifically, the processing contents of the Unblind processing 1123 are defined according to the processing contents of the Blind processing 1121. Therefore, depending on the processing content of the blind processing 1121, the unblind processing 1123 may not perform any processing on the deposited signature 1112 and may set the deposited signature 1112 as the original signature 1113 as is.
 ここでは、Unblind処理1123は、預託署名1112に対して、何らの処理も実施しないこととする。換言すれば、署名側装置202は、Unblind処理1123を実施せずに済ませてもよい。(11-7)署名側装置202は、オリジナル署名1113を付与したメッセージmを、電子メールを介して、検証側装置203に送信する。 Here, it is assumed that the Unblind process 1123 does not perform any processing on the deposited signature 1112. In other words, the signing device 202 may do without performing the Unblind process 1123. (11-7) The signing device 202 sends the message m with the original signature 1113 attached to the verification device 203 via email.
 (11-8)検証側装置203は、オリジナル署名1113が付与されたメッセージmを、電子メールを介して、署名側装置202から受信する。検証側装置203は、オリジナル署名1113が付与されたメッセージmを受信したことに応じて、オリジナル検証鍵1002を、情報処理装置100から取得する。検証側装置203は、オリジナル検証鍵1002を利用して、オリジナル署名1113の正当性を検証する。 (11-8) The verification side device 203 receives the message m to which the original signature 1113 has been added from the signature side device 202 via email. The verification device 203 acquires the original verification key 1002 from the information processing device 100 in response to receiving the message m to which the original signature 1113 is attached. The verification device 203 verifies the validity of the original signature 1113 using the original verification key 1002.
 検証側装置203は、オリジナル署名1113の正当性を検証した結果を、検証者が参照可能に出力する。検証側装置203は、オリジナル署名1113が正当でなければ、オリジナル署名1113が付与されたメッセージmを破棄する。検証側装置203は、オリジナル署名1113が正当であれば、オリジナル署名1113が付与されたメッセージmを、検証者が参照可能に出力する。 The verification device 203 outputs the result of verifying the validity of the original signature 1113 so that the verifier can refer to it. If the original signature 1113 is not valid, the verification side device 203 discards the message m to which the original signature 1113 is attached. If the original signature 1113 is valid, the verification side device 203 outputs the message m to which the original signature 1113 is attached so that the verifier can refer to it.
 これにより、署名制御システム200は、署名側装置202が、単体で有効なオリジナル署名鍵1001を有さずに済ませることができ、単体で有効ではない保護署名鍵1011を有すれば済むようにすることができる。このため、署名制御システム200は、オリジナル署名鍵1001の漏洩を防止することができる。 Thereby, the signature control system 200 allows the signing device 202 to do without having the original signature key 1001 that is valid on its own, and only needs to have the protected signature key 1011 that is not valid on its own. be able to. Therefore, the signature control system 200 can prevent leakage of the original signature key 1001.
 署名制御システム200は、情報処理装置100が、単体で有効なオリジナル署名鍵1001を有さずに済ませることができ、単体で有効ではない預託署名鍵1021を有するようにすることができる。このため、署名制御システム200は、セキュリティの向上を図ることができる。署名制御システム200は、メッセージmを秘匿し易くすることができる。従って、署名制御システム200は、署名者にかかる作業負担の低減化を図ることができる。 The signature control system 200 allows the information processing device 100 to do without the original signature key 1001 that is valid on its own, and can have the escrow signature key 1021 that is not valid on its own. Therefore, the signature control system 200 can improve security. The signature control system 200 can easily conceal the message m. Therefore, the signature control system 200 can reduce the workload placed on the signer.
 このように、署名制御システム200は、情報処理装置100から、預託署名鍵1021が攻撃者に漏洩したとしても、保護署名鍵1011が攻撃者に漏洩していなければ、攻撃者が、オリジナル署名1113を生成してしまうことを防止することができる。署名制御システム200は、攻撃者が、署名者の正当なメッセージm以外に、オリジナル署名1113を付与してしまうことを防止することができる。 In this way, the signature control system 200 is able to store the original signature 1113 even if the entrusted signature key 1021 is leaked from the information processing device 100 to the attacker, as long as the protected signature key 1011 is not leaked to the attacker. can be prevented from being generated. The signature control system 200 can prevent an attacker from adding the original signature 1113 to a message other than the signer's legitimate message m.
 同様に、署名制御システム200は、情報処理装置100が、攻撃者によって用いられた場合であっても、攻撃者が、署名者の正当なメッセージm以外に、オリジナル署名1113を付与してしまうことを防止することができる。署名制御システム200は、メッセージmが、攻撃者に傍受されて改ざんされ、または、攻撃者に傍受されて不正なメッセージmと入れ替えられたとしても、メッセージmの真正性を、検証側装置203で適切に検証可能にすることができる。このように、署名制御システム200は、セキュリティの向上を図り、信頼性が比較的高いオリジナル署名1113を実現することができる。 Similarly, the signature control system 200 prevents the attacker from adding the original signature 1113 to a signer's legitimate message m even if the information processing device 100 is used by an attacker. can be prevented. The signature control system 200 allows the verification device 203 to verify the authenticity of the message m even if the message m is intercepted and tampered with by an attacker, or even if it is intercepted by an attacker and replaced with an unauthorized message m. Can be properly verifiable. In this way, the signature control system 200 can improve security and realize the original signature 1113 with relatively high reliability.
(署名制御システム200の動作例2)
 次に、署名制御システム200の動作例2について説明する。動作例2は、署名制御システム200が、ナンスを利用して、同一のブラインドメッセージに関する統計的情報を秘匿化し易くする具体例である。ナンスは、具体的には、乱数である。統計的情報は、例えば、同一のブラインドメッセージに対して何回預託署名1112を生成したかの回数などである。 (Operation example 2 of signature control system 200)
Next, a second operation example of the signature control system 200 will be described. Operation example 2 is a specific example in which the signature control system 200 uses a nonce to easily conceal statistical information regarding the same blind message. Specifically, the nonce is a random number. The statistical information is, for example, the number of times the escrow signature 1112 is generated for the same blind message.
 動作例2は、図10および図11に示した、Blind処理1121の処理内容を、下記に示す処理内容に置き換えた動作例になる。 Operation example 2 is an operation example in which the processing contents of the Blind processing 1121 shown in FIGS. 10 and 11 are replaced with the processing contents shown below.
 動作例2では、Blind処理1121は、ナンスr1を、一様分布から取得する。Blind処理1121は、メッセージmのハッシュ値1101となるm’←H(m,r1)を演算し、保護署名1111となるσ’=RSA.Sign(m’,d’)=(m’)d'modNを演算する。 In operation example 2, the Blind process 1121 obtains the nonce r 1 from a uniform distribution. Blind processing 1121 calculates m'←H (m, r 1 ), which is the hash value 1101 of message m, and calculates σ'=RSA. which becomes the protected signature 1111. Sign (m', d')=(m') d' mod N is calculated.
 これにより、署名制御システム200は、同一のブラインドメッセージとなるハッシュ値1101に対して、預託署名1112を生成する都度、預託署名1112の具体値が異なるようにすることができる。このため、署名制御システム200は、同一のブラインドメッセージに関する統計的情報を秘匿化し易くすることができる。 Thereby, the signature control system 200 can make the specific value of the escrow signature 1112 different each time it generates the escrow signature 1112 for the hash value 1101 of the same blind message. Therefore, the signature control system 200 can easily conceal statistical information regarding the same blind message.
(署名制御システム200の動作例3)
 次に、署名制御システム200の動作例3について説明する。動作例3は、リンク不可能性を達成する具体例である。リンク不可能性とは、例えば、署名を付与したメッセージmとナンスr1とが将来的に公開されたとしても、情報処理装置100で、メッセージmとブラインドメッセージとを対応付けることが困難であるという性質を示す。 (Operation example 3 of signature control system 200)
Next, a third operation example of the signature control system 200 will be described. Operation example 3 is a specific example of achieving linkability. Unlinkability means, for example, that even if the message m to which the signature is attached and the nonce r1 are made public in the future, it is difficult for the information processing device 100 to associate the message m and the blind message. indicate a property.
 ここで、例えば、メッセージmが入札価格を示し、所定のタイミングで公開される場合が考えられる。この場合について、リンク不可能性が未達成であると、情報処理装置100で、公開された入札価格を示すメッセージmに基づいて、メッセージmとブラインドメッセージとを対応付けることが可能になってしまうことがある。 Here, for example, a case may be considered in which message m indicates a bid price and is published at a predetermined timing. In this case, if linkability is not achieved, it becomes possible for the information processing device 100 to associate the message m and the blind message based on the message m indicating the published bid price. There is.
 動作例3は、図10および図11に示した、Blind処理1121と、Unblind処理1123との処理内容を、下記に示す処理内容に置き換えた動作例になる。 Operation example 3 is an operation example in which the processing contents of Blind processing 1121 and Unblind processing 1123 shown in FIGS. 10 and 11 are replaced with the processing contents shown below.
 動作例3では、Blind処理1121は、ナンスr1,r2を、一様分布から取得する。Blind処理1121は、メッセージmのハッシュ値1101となるm’←H(m,r1)・r2 eを演算し、保護署名1111となるσ’=RSA.Sign(m’,d’)=(m’)d'modNを演算する。 In operation example 3, the blind process 1121 obtains nonces r 1 and r 2 from a uniform distribution. Blind processing 1121 calculates m'←H(m, r 1 )·r 2 e , which is the hash value 1101 of message m, and calculates σ'=RSA. which becomes the protected signature 1111. Sign (m', d')=(m') d' mod N is calculated.
 動作例3では、Unblind処理1123は、預託署名1112(σ”)に基づいて、オリジナル署名1113(σ=σ”*r2 -1)を演算する。これにより、署名制御システム200は、リンク不可能性を達成することができる。署名制御システム200は、セキュリティの向上を図ることができる。署名制御システム200は、署名者のプライバシーの保護を図ることができる。 In operation example 3, the unblind process 1123 calculates an original signature 1113 (σ=σ”*r 2 −1 ) based on the escrow signature 1112 (σ”). This allows the signature control system 200 to achieve linkability. The signature control system 200 can improve security. The signature control system 200 can protect the privacy of signers.
(署名制御システム200の動作例4)
 次に、署名制御システム200の動作例4について説明する。動作例4は、署名制御システム200が、RSA暗号方式ではなくBLS(Boneh Lynn Shacham)暗号方式を利用する具体例である。 (Operation example 4 of signature control system 200)
Next, a fourth example of operation of the signature control system 200 will be described. Operation example 4 is a specific example in which the signature control system 200 uses the BLS (Boneh Lynn Shacham) encryption method instead of the RSA encryption method.
 動作例4は、図10および図11に示した、KeyGen処理1000と、Blind処理1121と、Sign処理1122と、Unblind処理1123との処理内容を、下記に示す処理内容に置き換えた動作例になる。 Operation example 4 is an operation example in which the processing contents of KeyGen processing 1000, Blind processing 1121, Sign processing 1122, and Unblind processing 1123 shown in FIGS. 10 and 11 are replaced with the processing contents shown below. .
 動作例4では、G1,G2,GTを、素数位数pの巡回群とする。g1,g2,gTを、それぞれ、G1,G2,GTの生成元とする。ペアリング写像e:G1×G2→GTが定義されるとする。KeyGen処理1000は、sk=xをオリジナル署名鍵1001に設定し、pk=g2 xをオリジナル検証鍵1002に設定する。KeyGen処理1000は、sk’=yを保護署名鍵1011に設定し、pk=g2 yを保護検証鍵1012に設定する。KeyGen処理1000は、sk”=z=x・y-1modpを預託署名鍵1021に設定する。KeyGen処理1000は、ハッシュ関数H:{0,1}*→G1を定義する。 In operation example 4, G 1 , G 2 , and G T are cyclic groups of prime order p. Let g 1 , g 2 , and g T be the generators of G 1 , G 2 , and G T , respectively. Assume that a pairing map e: G 1 ×G 2 →G T is defined. The KeyGen process 1000 sets sk=x to the original signature key 1001 and sets pk=g 2 x to the original verification key 1002. The KeyGen process 1000 sets sk'=y to the protected signature key 1011 and sets pk=g 2 y to the protected verification key 1012. The KeyGen process 1000 sets sk''=z=x·y −1 modp to the escrow signature key 1021. The KeyGen process 1000 defines a hash function H:{0,1} * →G 1 .
 動作例4では、Blind処理1121は、ナンスr1,r2を、一様分布から取得する。Blind処理1121は、メッセージmのハッシュ値1101となるm’←H(m,r1)・g1 r2を演算し、保護署名1111となるσ’=(m’)ymodpを演算する。動作例4では、Sign処理1122は、例えば、預託署名1112となるσ”=(σ’・X-r2)を演算する。Xは、pkである。動作例4では、Unblind処理1123は、預託署名1112(σ”)に基づいて、オリジナル署名1113(σ=σ”・X-r2)を演算する。 In operation example 4, the blind process 1121 obtains nonces r 1 and r 2 from a uniform distribution. Blind processing 1121 calculates m'←H(m, r 1 )·g 1 r2 , which is the hash value 1101 of message m, and calculates σ'=(m') y modp, which becomes the protected signature 1111. In operation example 4, the Sign processing 1122 calculates, for example, σ"=(σ'・X - r2 ), which is the deposited signature 1112. X is pk. In operation example 4, the Unblind processing 1123 calculates An original signature 1113 (σ=σ”·X −r2 ) is calculated based on the signature 1112 (σ”).
 動作例4では、検証側装置203は、e(σ,g2)=e(H(m,r1),X)が成立すれば、オリジナル署名1113が正当であると判定する。検証側装置203は、e(σ,g2)=e(H(m,r1),X)が成立しなければ、オリジナル署名1113が正当ではないと判定する。これにより、署名制御システム200は、閾値署名およびアグリゲート署名などの応用が可能なBLS暗号方式を利用することができ、利便性を向上可能にすることができる。 In operation example 4, the verification device 203 determines that the original signature 1113 is valid if e(σ, g 2 )=e(H(m, r 1 ), X) holds. The verification device 203 determines that the original signature 1113 is not valid unless e(σ, g 2 )=e(H(m, r 1 ), X) holds true. As a result, the signature control system 200 can utilize the BLS encryption method, which can be applied to threshold signatures, aggregate signatures, etc., and can improve convenience.
(登録処理手順)
 次に、図12および図13を用いて、署名制御システム200が実行する、登録処理手順の一例について説明する。 (Registration processing procedure)
Next, an example of a registration processing procedure executed by the signature control system 200 will be described using FIGS. 12 and 13.
 図12および図13は、登録処理手順の一例を示すシーケンス図である。図12において、署名者(Alice)は、鍵生成要求を、鍵管理装置201に入力する。鍵管理装置201は、鍵生成要求の入力を受け付ける(ステップS1201)。 12 and 13 are sequence diagrams showing an example of the registration processing procedure. In FIG. 12, a signer (Alice) inputs a key generation request into the key management device 201. The key management device 201 receives an input of a key generation request (step S1201).
 鍵管理装置201は、鍵生成要求に応じて、オリジナル鍵ペアを生成する(ステップS1202)。鍵管理装置201は、保護鍵ペアを生成する(ステップS1203)。鍵管理装置201は、預託署名鍵を生成する(ステップS1204)。 The key management device 201 generates an original key pair in response to the key generation request (step S1202). The key management device 201 generates a protection key pair (step S1203). The key management device 201 generates a escrow signature key (step S1204).
 鍵管理装置201は、保護鍵ペアを、セキュアな通信手段を介して、署名側装置202に送信する(ステップS1205)。 The key management device 201 transmits the protection key pair to the signing device 202 via a secure communication means (step S1205).
 署名側装置202は、ブラウザプラグインにより、保護鍵ペアを受信する。署名側装置202は、ブラウザプラグインにより、サーバ認証情報を、情報処理装置100に送信する(ステップS1206)。サーバ認証情報は、署名側装置202の正当性を保証するための情報である。 The signing device 202 receives the protection key pair using the browser plug-in. The signing device 202 uses the browser plug-in to transmit the server authentication information to the information processing device 100 (step S1206). The server authentication information is information for guaranteeing the validity of the signing device 202.
 情報処理装置100は、サーバ認証情報に基づいて、署名側装置202の正当性を確認すると、認証成功を、署名側装置202に送信する(ステップS1207)。情報処理装置100が、署名側装置202の正当性を確認することができなければ、署名制御システム200は、登録処理を終了する。 After confirming the validity of the signing device 202 based on the server authentication information, the information processing device 100 transmits authentication success to the signing device 202 (step S1207). If the information processing device 100 cannot confirm the validity of the signing device 202, the signature control system 200 ends the registration process.
 署名側装置202は、ブラウザプラグインにより、プラグインIDと、保護検証鍵とを対応付けた登録要求を、情報処理装置100に送信する(ステップS1208)。情報処理装置100は、登録要求に応じて、プラグインIDと、保護検証鍵とを対応付けて、鍵管理テーブル310に登録する。情報処理装置100は、登録完了を、署名側装置202に送信する(ステップS1209)。次に、図13の説明に移行する。 The signing device 202 uses the browser plug-in to send a registration request that associates the plug-in ID and the protection verification key to the information processing device 100 (step S1208). In response to the registration request, the information processing apparatus 100 associates the plug-in ID and the protection verification key and registers them in the key management table 310. The information processing device 100 transmits registration completion to the signing device 202 (step S1209). Next, the explanation will move on to FIG. 13.
 図13において、署名側装置202は、ブラウザプラグインにより、プラグインIDを、鍵管理装置201に送信する(ステップS1301)。鍵管理装置201は、プラグインIDを、署名側装置202から受信する。鍵管理装置201は、プラグインIDを含むサーバ登録情報を生成する(ステップS1302)。サーバ登録情報は、プラグインIDに対応付けて、預託署名鍵と、オリジナル検証鍵とを含む。 In FIG. 13, the signing device 202 transmits the plug-in ID to the key management device 201 using the browser plug-in (step S1301). The key management device 201 receives the plug-in ID from the signing device 202. The key management device 201 generates server registration information including the plug-in ID (step S1302). The server registration information includes a deposited signature key and an original verification key in association with the plug-in ID.
 鍵管理装置201は、サーバ登録情報に対する保護署名鍵による署名を生成し、署名をサーバ登録情報に付与する(ステップS1303)。鍵管理装置201は、登録要求を、情報処理装置100に送信する(ステップS1304)。情報処理装置100は、サーバ登録情報の送信要求を、鍵管理装置201に送信する(ステップS1305)。 The key management device 201 generates a signature using the protected signature key for the server registration information, and adds the signature to the server registration information (step S1303). The key management device 201 transmits a registration request to the information processing device 100 (step S1304). The information processing device 100 transmits a request to transmit server registration information to the key management device 201 (step S1305).
 鍵管理装置201は、署名が付与されたサーバ登録情報を、セキュアな通信手段を介して、情報処理装置100に送信する(ステップS1306)。情報処理装置100は、署名が付与されたサーバ登録情報を、鍵管理装置201から受信する。情報処理装置100は、サーバ登録情報に付与された署名を、保護検証鍵で検証する(ステップS1307)。 The key management device 201 transmits the signed server registration information to the information processing device 100 via a secure communication means (step S1306). The information processing device 100 receives server registration information with a signature added thereto from the key management device 201 . The information processing apparatus 100 verifies the signature added to the server registration information using the protection verification key (step S1307).
 情報処理装置100は、署名が正当でなければ、サーバ登録情報を破棄する。情報処理装置100は、署名が正当であれば、プラグインIDに対応付けて、保護検証鍵と、サーバ登録情報とを、記憶領域に登録する(ステップS1308)。情報処理装置100は、具体的には、プラグインIDに対応付けて、保護検証鍵と、サーバ登録情報に含まれる預託署名鍵およびオリジナル検証鍵とを、鍵管理テーブル310に登録する。情報処理装置100は、登録完了を、鍵管理装置201に送信する(ステップS1309)。 If the signature is not valid, the information processing device 100 discards the server registration information. If the signature is valid, the information processing apparatus 100 registers the protection verification key and server registration information in the storage area in association with the plug-in ID (step S1308). Specifically, the information processing apparatus 100 registers the protection verification key, the entrusted signature key and the original verification key included in the server registration information in the key management table 310 in association with the plug-in ID. The information processing device 100 transmits registration completion to the key management device 201 (step S1309).
 鍵管理装置201は、登録完了を受信すると、登録完了を、署名者(Alice)が参照可能に出力する(ステップS1310)。鍵管理装置201は、オリジナル署名鍵を破棄してもよい(ステップS1311)。署名制御システム200は、登録処理を終了する。これにより、署名制御システム200は、保護署名鍵と、保護検証鍵と、預託署名鍵と、オリジナル検証鍵とを、適切に生成し、署名側装置202と、情報処理装置100とに分配することができる。 Upon receiving the registration completion notification, the key management device 201 outputs the registration completion notification so that the signer (Alice) can refer to it (step S1310). The key management device 201 may discard the original signature key (step S1311). The signature control system 200 ends the registration process. Thereby, the signature control system 200 can appropriately generate a protected signature key, a protected verification key, a deposited signature key, and an original verification key, and distribute them to the signing device 202 and the information processing device 100. Can be done.
(署名処理手順)
 次に、図14および図15を用いて、署名制御システム200が実行する、署名処理手順の一例について説明する。 (Signature processing procedure)
Next, an example of a signature processing procedure executed by the signature control system 200 will be described using FIGS. 14 and 15.
 図14および図15は、署名処理手順の一例を示すシーケンス図である。図14において、署名者(Alice)は、PCなどを利用して、署名対象となるドキュメントを作成する(ステップS1401)。署名者(Alice)は、PCなどを利用して、署名対象となるドキュメントを、署名側装置202に送信する(ステップS1402)。 FIGS. 14 and 15 are sequence diagrams showing an example of a signature processing procedure. In FIG. 14, a signer (Alice) uses a PC or the like to create a document to be signed (step S1401). The signer (Alice) uses a PC or the like to transmit the document to be signed to the signing device 202 (step S1402).
 署名側装置202は、保護鍵ペアの保護署名鍵を利用して、Blind処理を実施し、ドキュメントに対する保護署名を生成する(ステップS1403)。署名側装置202は、署名処理の開始通知を、情報処理装置100に送信する(ステップS1404)。署名側装置202は、開始通知に対する了承通知を、情報処理装置100から受信する(ステップS1405)。 The signing device 202 uses the protected signature key of the protected key pair to perform a blind process and generate a protected signature for the document (step S1403). The signing device 202 transmits a signature processing start notification to the information processing device 100 (step S1404). The signing device 202 receives a notification of approval for the start notification from the information processing device 100 (step S1405).
 署名側装置202は、ブラウザプラグインにより、検証情報を、情報処理装置100に送信する(ステップS1406)。検証情報は、例えば、ドキュメントのハッシュ値と、保護署名と、プラグインIDとを含む。プラグインIDは、署名側装置202を識別可能にする識別情報である。プラグインIDは、具体的には、署名側装置202のブラウザプラグインを識別可能にする識別情報である。 The signing device 202 transmits the verification information to the information processing device 100 using the browser plug-in (step S1406). The verification information includes, for example, a document hash value, a protection signature, and a plug-in ID. The plug-in ID is identification information that allows the signing device 202 to be identified. Specifically, the plug-in ID is identification information that allows the browser plug-in of the signing device 202 to be identified.
 情報処理装置100は、検証情報を受信する。情報処理装置100は、検証情報に含まれるプラグインIDに対応付けられた預託署名鍵と、保護検証鍵とを、鍵管理テーブル310から取得する(ステップS1407)。情報処理装置100は、保護検証鍵を利用して、検証情報の正当性を検証する(ステップS1408)。 The information processing device 100 receives the verification information. The information processing apparatus 100 acquires the entrusted signature key and the protection verification key associated with the plug-in ID included in the verification information from the key management table 310 (step S1407). The information processing apparatus 100 verifies the validity of the verification information using the protection verification key (step S1408).
 情報処理装置100は、検証情報が正当でなければ、検証情報を破棄する。検証情報が正当でなければ、署名制御システム200は、署名処理を終了する。情報処理装置100は、検証情報が正当であれば、預託署名鍵を利用して、Sign処理を実施し、保護署名に対する預託署名を生成し、預託署名を保護署名に付与する(ステップS1409)。次に、図15の説明に移行する。 If the verification information is not valid, the information processing device 100 discards the verification information. If the verification information is not valid, the signature control system 200 ends the signature process. If the verification information is valid, the information processing apparatus 100 performs a Sign process using the deposited signature key, generates a deposited signature for the protected signature, and adds the deposited signature to the protected signature (step S1409). Next, the explanation will move on to FIG. 15.
 図15において、情報処理装置100は、預託署名を付与した保護署名を、署名側装置202に送信する(ステップS1501)。署名側装置202は、ブラウザプラグインにより、預託署名が付与された保護署名を、情報処理装置100から受信する。署名側装置202は、ブラウザプラグインにより、保護署名に対してUnblind処理を実施し、オリジナル署名を生成する(ステップS1502)。 In FIG. 15, the information processing device 100 transmits the protected signature to which the deposited signature has been added to the signing device 202 (step S1501). The signing device 202 receives the protected signature to which the deposited signature has been added from the information processing device 100 using the browser plug-in. The signing device 202 uses the browser plug-in to perform unblind processing on the protected signature and generates an original signature (step S1502).
 署名側装置202は、ブラウザプラグインにより、オリジナル署名を、ドキュメントに付与する(ステップS1503)。署名側装置202は、オリジナル署名を付与したドキュメントを、検証側装置203に送信する(ステップS1504)。検証側装置203は、メーラープラグインにより、オリジナル署名が付与されたドキュメントを、署名側装置202から受信する。 The signing device 202 uses the browser plug-in to add an original signature to the document (step S1503). The signing device 202 transmits the document to which the original signature has been added to the verification device 203 (step S1504). The verifying device 203 receives the document with the original signature from the signing device 202 using the mailer plug-in.
 検証者(Bob)は、検証側装置203に、オリジナル署名の検証依頼を入力する(ステップS1505)。検証側装置203は、メーラープラグインにより、オリジナル署名の検証依頼の入力を受け付ける。検証側装置203は、メーラープラグインにより、プラグインIDを、情報処理装置100に送信し、オリジナル検証鍵を、情報処理装置100に要求する(ステップS1506)。 The verifier (Bob) inputs an original signature verification request to the verification device 203 (step S1505). The verification device 203 receives an input of an original signature verification request using a mailer plug-in. The verification device 203 uses the mailer plug-in to transmit the plug-in ID to the information processing device 100, and requests the information processing device 100 for the original verification key (step S1506).
 情報処理装置100は、プラグインIDに基づいて、鍵管理テーブル310から、オリジナル検証鍵を取得する。情報処理装置100は、プラグインIDに対応付けてオリジナル検証鍵を、検証側装置203に応答する(ステップS1507)。検証側装置203は、メーラープラグインにより、オリジナル検証鍵を、情報処理装置100から受信する。 The information processing device 100 obtains the original verification key from the key management table 310 based on the plug-in ID. The information processing device 100 responds to the verification device 203 with the original verification key in association with the plug-in ID (step S1507). The verification device 203 receives the original verification key from the information processing device 100 using the mailer plug-in.
 検証側装置203は、メーラープラグインにより、オリジナル署名の正当性を検証し、オリジナル署名が付与されたドキュメントの真正性を検証する(ステップS1508)。検証側装置203は、メーラープラグインにより、検証した結果を、検証者(Bob)が参照可能に出力する(ステップS1509)。これにより、署名制御システム200は、セキュリティを確保しつつ、署名側装置202と、検証側装置203とで、ドキュメントを安全にやり取り可能にすることができる。 The verification device 203 uses the mailer plug-in to verify the validity of the original signature, and verifies the authenticity of the document to which the original signature has been added (step S1508). The verification device 203 uses the mailer plug-in to output the verification results so that the verification person (Bob) can refer to them (step S1509). Thereby, the signature control system 200 can safely exchange documents between the signing device 202 and the verifying device 203 while ensuring security.
 以上説明したように、情報処理装置100によれば、元署名鍵と同一の署名を生成可能にする、第1署名鍵と第2署名鍵との組み合わせを有する管理装置から、第2署名鍵を取得することができる。情報処理装置100によれば、秘匿化データに対する、第1署名鍵による第1署名を、第1署名鍵を有する第1装置802から受信することができる。情報処理装置100によれば、受信した第1署名に対する、取得した第2署名鍵による第2署名を生成することができる。情報処理装置100によれば、生成した第2署名を、第1装置802に送信することができる。これにより、情報処理装置100は、信頼性が比較的高い第2署名を生成することができ、第1装置802に提供することができ、第1装置802で利用可能にすることができる。 As described above, according to the information processing device 100, the second signature key is acquired from the management device that has the combination of the first signature key and the second signature key, which enables generation of the same signature as the original signature key. can be obtained. According to the information processing device 100, the first signature using the first signature key on the anonymized data can be received from the first device 802 having the first signature key. According to the information processing apparatus 100, it is possible to generate a second signature for the received first signature using the acquired second signature key. According to the information processing device 100, the generated second signature can be transmitted to the first device 802. Thereby, the information processing apparatus 100 can generate a relatively highly reliable second signature, provide it to the first apparatus 802, and make it usable by the first apparatus 802.
 情報処理装置100によれば、さらに、元署名鍵に対応する元検証鍵を有する管理装置から、元検証鍵を取得することができる。情報処理装置100によれば、取得した元検証鍵を、第2署名を検証する第2装置803に送信することができる。これにより、情報処理装置100は、信頼性が比較的高い第2署名を、第2装置803で検証可能にすることができる。 According to the information processing device 100, the original verification key can further be acquired from the management device that has the original verification key corresponding to the original signature key. According to the information processing device 100, the acquired original verification key can be transmitted to the second device 803 that verifies the second signature. Thereby, the information processing device 100 can enable the second device 803 to verify the second signature, which has relatively high reliability.
 情報処理装置100によれば、さらに、第1署名鍵に対応する第1検証鍵を有する管理装置から、第1検証鍵を取得することができる。情報処理装置100によれば、取得した第1検証鍵を利用して、受信した第1署名の正当性を判定することができる。情報処理装置100によれば、受信した第1署名が正当であると判定した場合、生成した第2署名を、第1装置802に送信することができる。これにより、情報処理装置100は、セキュリティの向上を図ることができる。 According to the information processing device 100, the first verification key can further be obtained from the management device that has the first verification key corresponding to the first signature key. According to the information processing apparatus 100, the validity of the received first signature can be determined using the acquired first verification key. According to the information processing device 100, when it is determined that the received first signature is valid, the generated second signature can be transmitted to the first device 802. Thereby, the information processing apparatus 100 can improve security.
 情報処理装置100によれば、対象データのハッシュ値を、秘匿化データとして扱うことができる。これにより、情報処理装置100は、対象データが秘匿化された場合にも適用することができる。 According to the information processing device 100, the hash value of the target data can be treated as anonymized data. Thereby, the information processing apparatus 100 can be applied even when the target data is anonymized.
 情報処理装置100によれば、第1装置802と同一の装置である管理装置と通信することができる。これにより、情報処理装置100は、第1装置802と管理装置とが同一の装置である状況にも適用することができる。 According to the information processing device 100, it is possible to communicate with a management device that is the same device as the first device 802. Thereby, the information processing device 100 can be applied to a situation where the first device 802 and the management device are the same device.
 なお、本実施の形態で説明した署名制御方法は、予め用意されたプログラムをPCやワークステーションなどのコンピュータで実行することにより実現することができる。本実施の形態で説明した署名制御プログラムは、コンピュータで読み取り可能な記録媒体に記録され、コンピュータによって記録媒体から読み出されることによって実行される。記録媒体は、ハードディスク、フレキシブルディスク、CD(Compact Disc)-ROM、MO(Magneto Optical disc)、DVD(Digital Versatile Disc)などである。また、本実施の形態で説明した署名制御プログラムは、インターネットなどのネットワークを介して配布してもよい。 Note that the signature control method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a PC or a workstation. The signature control program described in this embodiment is recorded on a computer-readable recording medium, and executed by being read from the recording medium by the computer. The recording medium includes a hard disk, a flexible disk, a CD (Compact Disc)-ROM, an MO (Magneto Optical Disc), a DVD (Digital Versatile Disc), and the like. Furthermore, the signature control program described in this embodiment may be distributed via a network such as the Internet.
 100 情報処理装置
 101,801 管理装置
 102,802 第1装置
 103,803 第2装置
 111 元署名鍵
 112 元検証鍵
 121 第1署名鍵
 122 第1検証鍵
 131 第2署名鍵
 132 第2検証鍵
 141,911 秘匿化データ
 142 第1署名
 143 第2署名
 200 署名制御システム
 201 鍵管理装置
 202 署名側装置
 203 検証側装置
 210 ネットワーク
 300,500,600,700 バス
 301,501,601,701 CPU
 302,502,602,702 メモリ
 303,503,603,703 ネットワークI/F
 304,504,604,704 記録媒体I/F
 305,505,605,705 記録媒体
 310 鍵管理テーブル
 606,706 ディスプレイ
 607,707 入力装置
 810 第1記憶部
 811 第1取得部
 812 第1生成部
 813 第1出力部
 820 第2記憶部
 821 第2取得部
 822 第2秘匿化部
 823 第2署名生成部
 824 第2出力部
 830 第3記憶部
 831 第3取得部
 832 第3検証部
 833 第3署名生成部
 834 第3出力部
 840 第4記憶部
 841 第4取得部
 842 第4検証部
 843 第4出力部
 900,1001 オリジナル署名鍵
 901,1011 保護署名鍵
 902,1021 預託署名鍵
 903,1002 オリジナル検証鍵
 910,1100 契約書
 921,1111 保護署名
 922,1112 預託署名
 931,1113 オリジナル署名
 941 ブラインド処理
 942,943 サイン処理
 1000 KeyGen処理
 1012 保護検証鍵
 1022 預託検証鍵
 1101 ハッシュ値
 1121 Blind処理
 1122 Sign処理
 1123 Unblind処理 100 Information processing device 101,801 Management device 102,802 First device 103,803 Second device 111 Original signature key 112 Original verification key 121 First signature key 122 First verification key 131 Second signature key 132 Second verification key 141 ,911 Confidential data 142 First signature 143 Second signature 200 Signature control system 201 Key management device 202 Signing device 203 Verifying device 210 Network 300,500,600,700 Bus 301,501,601,701 CPU
302,502,602,702 Memory 303,503,603,703 Network I/F
304, 504, 604, 704 Recording medium I/F
305, 505, 605, 705 Recording medium 310 Key management table 606, 706 Display 607, 707 Input device 810 First storage section 811 First acquisition section 812 First generation section 813 First output section 820 Second storage section 821 Second Acquisition unit 822 Second anonymization unit 823 Second signature generation unit 824 Second output unit 830 Third storage unit 831 Third acquisition unit 832 Third verification unit 833 Third signature generation unit 834 Third output unit 840 Fourth storage unit 841 Fourth acquisition unit 842 Fourth verification unit 843 Fourth output unit 900,1001 Original signature key 901,1011 Protected signature key 902,1021 Deposited signature key 903,1002 Original verification key 910,1100 Contract 921,1111 Protected signature 922 , 1112 Entrusted signature 931, 1113 Original signature 941 Blind processing 942, 943 Sign processing 1000 KeyGen processing 1012 Protection verification key 1022 Entrusted verification key 1101 Hash value 1121 Blind processing 1122 Sign processing 1123 Unblind processing

Claims (9)

  1.  元署名鍵と同一の署名を生成可能にする、第1署名鍵と第2署名鍵との組み合わせを有する管理装置から、前記第2署名鍵を取得し、
     秘匿化データに対する、前記第1署名鍵による第1署名を、前記第1署名鍵を有する第1装置から受信し、
     受信した前記第1署名に対する、取得した前記第2署名鍵による第2署名を生成し、
     生成した前記第2署名を、前記第1装置に送信する、
     処理をコンピュータが実行することを特徴とする署名制御方法。     obtaining the second signature key from a management device that has a combination of a first signature key and a second signature key that enables generation of the same signature as the original signature key;
    receiving a first signature using the first signature key on the anonymized data from a first device having the first signature key;
    generating a second signature using the acquired second signature key for the received first signature;
    transmitting the generated second signature to the first device;
    A signature control method characterized in that processing is executed by a computer.
  2.  前記管理装置は、さらに、前記元署名鍵に対応する元検証鍵を有し、
     前記管理装置から、さらに、前記元検証鍵を取得し、
     取得した前記元検証鍵を、前記第2署名を検証する第2装置に送信する、
     処理を前記コンピュータが実行することを特徴とする請求項1に記載の署名制御方法。     The management device further includes an original verification key corresponding to the original signature key,
    further acquiring the original verification key from the management device;
    transmitting the obtained original verification key to a second device that verifies the second signature;
    The signature control method according to claim 1, wherein the processing is executed by the computer.
  3.  前記管理装置は、さらに、前記第1署名鍵に対応する第1検証鍵を有し、
     前記管理装置から、さらに、前記第1検証鍵を取得し、
     取得した前記第1検証鍵を利用して、受信した前記第1署名の正当性を判定する、
     処理を前記コンピュータが実行し、
     受信した前記第1署名が正当であると判定した場合、生成した前記第2署名を、前記第1装置に送信する、ことを特徴とする請求項1または2に記載の署名制御方法。     The management device further includes a first verification key corresponding to the first signature key,
    further acquiring the first verification key from the management device;
    determining the validity of the received first signature using the acquired first verification key;
    the computer executes the process;
    3. The signature control method according to claim 1, further comprising transmitting the generated second signature to the first device when it is determined that the received first signature is valid.
  4.  前記秘匿化データは、対象データのハッシュ値である、ことを特徴とする請求項1または2に記載の署名制御方法。 The signature control method according to claim 1 or 2, wherein the anonymized data is a hash value of the target data.
  5.  前記第1装置は、前記管理装置と同一の装置である、ことを特徴とする請求項1または2に記載の署名制御方法。 3. The signature control method according to claim 1, wherein the first device is the same device as the management device.
  6.  元署名鍵と同一の署名を生成可能にする、第1署名鍵と第2署名鍵との組み合わせを有する管理装置から、前記第2署名鍵を取得し、
     秘匿化データに対する、前記第1署名鍵による第1署名を、前記第1署名鍵を有する第1装置から受信し、
     受信した前記第1署名に対する、取得した前記第2署名鍵による第2署名を生成し、
     生成した前記第2署名を、前記第1装置に送信する、
     処理をコンピュータに実行させることを特徴とする署名制御プログラム。     obtaining the second signature key from a management device that has a combination of a first signature key and a second signature key that enables generation of the same signature as the original signature key;
    receiving a first signature using the first signature key on the anonymized data from a first device having the first signature key;
    generating a second signature using the acquired second signature key for the received first signature;
    transmitting the generated second signature to the first device;
    A signature control program that causes a computer to execute processing.
  7.  元署名鍵と同一の署名を生成可能にする、第1署名鍵と第2署名鍵との組み合わせを有する管理装置から、前記第2署名鍵を取得し、
     秘匿化データに対する、前記第1署名鍵による第1署名を、前記第1署名鍵を有する第1装置から受信し、
     受信した前記第1署名に対する、取得した前記第2署名鍵による第2署名を生成し、
     生成した前記第2署名を、前記第1装置に送信する、
     制御部を有することを特徴とする情報処理装置。     obtaining the second signature key from a management device that has a combination of a first signature key and a second signature key that enables generation of the same signature as the original signature key;
    receiving a first signature using the first signature key on the anonymized data from a first device having the first signature key;
    generating a second signature using the acquired second signature key for the received first signature;
    transmitting the generated second signature to the first device;
    An information processing device comprising a control section.
  8.  管理装置と、情報処理装置と、第1装置と、第2装置とを含むシステムであって、
     前記管理装置は、
     元署名鍵と同一の署名を生成可能にする、第1署名鍵と第2署名鍵との組み合わせを生成し、生成した前記第2署名鍵を、前記情報処理装置に提供し、生成した前記第1署名鍵を、前記第1装置に提供し、
     前記第1装置は、
     前記管理装置から、前記第1署名鍵を取得し、秘匿化データに対する、取得した前記第1署名鍵による第1署名を生成し、生成した前記第1署名を、前記情報処理装置に送信し、前記第1署名を、前記情報処理装置に送信したことに応じて、前記情報処理装置から、前記第1署名に対する、前記第2署名鍵による第2署名を受信し、受信した前記第2署名を、前記第2装置に送信し、
     前記情報処理装置は、
     前記管理装置から、前記第2署名鍵を取得し、前記第1装置から、前記第1署名を受信し、受信した前記第1署名に対する、取得した前記第2署名鍵による前記第2署名を生成し、生成した前記第2署名を、前記第1装置に送信し、
     前記第2装置は、
     前記第1装置から、前記第2署名を受信し、前記元署名鍵に対応する元検証鍵を取得し、受信した前記第2署名を、取得した前記元検証鍵で検証する、
     ことを特徴とするシステム。     A system including a management device, an information processing device, a first device, and a second device,
    The management device includes:
    A combination of a first signature key and a second signature key that enables generation of the same signature as the original signature key is generated, the generated second signature key is provided to the information processing device, and the generated second signature key is provided to the information processing device. 1 a signature key to the first device;
    The first device includes:
    acquiring the first signature key from the management device, generating a first signature for the anonymized data using the acquired first signature key, and transmitting the generated first signature to the information processing device; In response to transmitting the first signature to the information processing device, a second signature based on the second signature key for the first signature is received from the information processing device, and the received second signature is , to the second device;
    The information processing device includes:
    Obtaining the second signature key from the management device, receiving the first signature from the first device, and generating the second signature using the obtained second signature key for the received first signature. and transmitting the generated second signature to the first device,
    The second device includes:
    receiving the second signature from the first device, acquiring an original verification key corresponding to the original signature key, and verifying the received second signature with the acquired original verification key;
    A system characterized by:
  9.  前記管理装置は、
     さらに、前記元検証鍵を生成し、前記情報処理装置に送信し、
     前記情報処理装置は、
     さらに、前記管理装置から、前記元検証鍵を取得し、取得した前記元検証鍵を、前記第2装置に送信し、
     前記第2装置は、
     前記第1装置から、前記第2署名を受信し、前記情報処理装置から、前記元検証鍵を受信し、受信した前記第2署名を、受信した前記元検証鍵で検証する、ことを特徴とする請求項8に記載のシステム。     The management device includes:
    Further, generating the original verification key and transmitting it to the information processing device,
    The information processing device includes:
    Further, acquiring the original verification key from the management device and transmitting the acquired original verification key to the second device,
    The second device includes:
    The second signature is received from the first device, the original verification key is received from the information processing device, and the received second signature is verified with the received original verification key. 9. The system of claim 8.
PCT/JP2022/016365 2022-03-30 2022-03-30 Signature control method, signature control program, information processing device, and system WO2023188218A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/016365 WO2023188218A1 (en) 2022-03-30 2022-03-30 Signature control method, signature control program, information processing device, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/016365 WO2023188218A1 (en) 2022-03-30 2022-03-30 Signature control method, signature control program, information processing device, and system

Publications (1)

Publication Number Publication Date
WO2023188218A1 true WO2023188218A1 (en) 2023-10-05

Family

ID=88199835

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/016365 WO2023188218A1 (en) 2022-03-30 2022-03-30 Signature control method, signature control program, information processing device, and system

Country Status (1)

Country Link
WO (1) WO2023188218A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014112551A1 (en) * 2013-01-17 2014-07-24 日本電信電話株式会社 Secret-key split storage system, split storage device, and secret-key split storage method
JP2018029268A (en) * 2016-08-18 2018-02-22 三菱電機株式会社 Encryption system, encryption device, encryption program, and encryption method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014112551A1 (en) * 2013-01-17 2014-07-24 日本電信電話株式会社 Secret-key split storage system, split storage device, and secret-key split storage method
JP2018029268A (en) * 2016-08-18 2018-02-22 三菱電機株式会社 Encryption system, encryption device, encryption program, and encryption method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
THOMAS WU ET AL.: "Building Intrusion-Tolerant Applications", PROCEEDINGS OF THE 8TH USENIX SECURITY SYMPOSIUM, August 1999 (1999-08-01), pages 1 - 14, XP061066767 *

Similar Documents

Publication Publication Date Title
CN108830600B (en) Block chain-based electronic invoice system and implementation method
CN113014392B (en) Block chain-based digital certificate management method, system, equipment and storage medium
JP2020145733A (en) Method for managing a trusted identity
EP1376925A2 (en) Selectively disclosable digital certificates
CN109614802B (en) Anti-quantum-computation signature method and signature system
KR101825320B1 (en) Method for Providing Certificate Management
GB2517127A (en) Method for deriving a verification token from a credential
KR20170141976A (en) System and method for providing electronic signature service
CN111105235A (en) Supply chain transaction privacy protection system and method based on block chain and related equipment
US20130198524A1 (en) Object with identity based encryption
TWI734729B (en) Method and device for realizing electronic signature and signature server
Abraham et al. SSI Strong Authentication using a Mobile-phone based Identity Wallet Reaching a High Level of Assurance.
CN109586918B (en) Anti-quantum-computation signature method and signature system based on symmetric key pool
US11480945B2 (en) Production device for production of an object for user permitted to print pre-defined number of copies of the object including encrypted token, and decrypted by the production device for determining user access right
US11868457B2 (en) Device and method for authenticating user and obtaining user signature using user&#39;s biometrics
CN111314059B (en) Processing method, device and equipment for account authority proxy and readable storage medium
CN109586917B (en) Anti-quantum-computation signature method and system based on asymmetric key pool
JP3791169B2 (en) Authentication apparatus and method
WO2023188218A1 (en) Signature control method, signature control program, information processing device, and system
Yao et al. A privacy-preserving system for targeted coupon service
JP2004228958A (en) Signature method and signature program
Zhang et al. Data security in cloud storage
WO2022153377A1 (en) Control method, information processing system, information processing device, and control program
JP7211518B2 (en) Owner identity confirmation system and owner identity confirmation method
CN114329610A (en) Block chain privacy identity protection method, device, storage medium and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22935363

Country of ref document: EP

Kind code of ref document: A1