JP2001188757A - Service providing method using certificate - Google Patents

Abstract

PROBLEM TO BE SOLVED: To receive various services to which authority is applied in an anonymous state. SOLUTION: A user U asks a guarantor G to issue a certificate C. The certificate C stores one or more certification items M of characteristics (items equivalent to authority to receive a service such as address, age, and driving qualification) of the user U, a public key Pu corresponding to a secret key Su which can be used only by the user U, signature s obtained by a blind signature technique to a cipher text, and the cipher text obtained by enciphering the M, Pu, and the ID of the user by a probable encipherment system with an open key eJ of a judge J. The user U transmits the certificate C to a service provider S, and the service provider S transmits the certificate C to a verifier V, and the verifier V verifies that the certification items M are valid, and that the user U has the secret key Su corresponding to the open key Pu, and notifies it to the service provider S, and the service provider S applies a service corresponding to the certificate items M to the user U when the verification is correct.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention can be used only by a specific user, proves the characteristics of the user, and does not include information about the user other than the characteristics to be proved, or possess the user's possession. The present invention relates to a service providing method using an authentication method using a certificate including information obtained by removing at least one characteristic from a finite or infinite number of characteristics.

[0002]

2. Description of the Related Art Authentication means an entire operation in which an entity (apparatus) that provides a service confirms a right to use a service to a user before providing the service. Since the specific contents of the usage authority are individually different according to the contents of the provided service, the specific contents that need to be confirmed by the authentication greatly differ according to the contents of the service. For example, ATM (automatic cash deposit /
Payment device) to process different deposits for different users and to avoid infringing privacy,
It is necessary to identify the user in front of the terminal (ATM). At present, such a service provision employs a method using a personal identifier and a password, and an authentication method using a certificate in which personal information such as a name is described.
On the other hand, such as proof of car driving qualification and proof of the right to use a flat-rate Internet provider,
In a situation where the user needs to prove the right of the content common to all, it is not necessary to identify the individual by the authentication, and it is only necessary to confirm the existence of the right. However, under the present circumstances, even in a case where it is not necessary to identify an individual, authentication is often performed using information that can identify the individual as described above. For this reason, there has been a problem that when a service for which authentication is performed is used, personal information is leaked to the verification side even when it is not necessarily required.

[0003] This is a very serious problem from the viewpoint of privacy protection. Particularly in recent years, public wide area electronic networks such as the Internet have rapidly spread, and anyone can easily collect and distribute information.
For this reason, unnecessary leakage of personal information quickly and greatly affects an individual's social life.

[0004]

SUMMARY OF THE INVENTION An object of the present invention is to solve the problem that personal information is unnecessarily transmitted to a verification side in authentication, a user asserts his / her rights anonymously, and a service provider device is Even if an anonymous user can check the service usage authority, if necessary, a service providing method that can identify the user if the anonymous user has committed any wrongdoing It is to propose.

[0005]

According to the present invention, only a specific user can be used, the characteristics of the user are proved, and information on the user other than the proved characteristics is not included.
Alternatively, the most significant feature is to use an authentication method that uses a certificate that includes information that excludes at least one of the finite or infinite properties possessed by the user. Certificates and abstract models with the above properties are feasible. An example of this method is described in the literature, Naoyuki Sato, Hideaki Suzuki, "A Method of Authentication System Based on Certificates Focusing on Privacy Protection," Jikken Kenho, Vol. 99, No. 45, pp. 31-
36, 1999, ISSN 0919-6072.

[0006] A certificate having the above-mentioned properties has characteristic information obtained by removing at least one of the characteristics of the user, and is usable or unknown only by the user (represented by "unavailable" in this specification). At least information indicating that the guarantor has guaranteed the information and the corresponding user information is stored. Generally, the user information and the characteristic information are also explicitly described in the certificate. If the characteristic information guaranteed by the guarantor is clear, the characteristic information itself need not be explicitly stored in the certificate. For example, there is a case where a signature using a secret key used only for a specific item is guaranteed.

[0007] Further, if necessary, a cipher text in which the identification information ID for identifying the user is encrypted with a judge's public key by a probabilistic encryption method is stored. In this case, the cipher text is also stored in the signature. It is desirable that this probabilistic cryptosystem has a property that it can be easily converted to another ciphertext having the same plaintext using only ciphertext and public information, in particular.
Sometimes a new ciphertext X ₁ is subjected to the conversion to the ciphertext X ₀ Furthermore, the ciphertext is subjected to further conversion to the X ₁
When X _2, can be converted to X ₂ at a time from X _0, The conversion information from X ₀ to X ₂ can be constructed from the conversion information from the conversion information and X ₁ from X ₀ to X ₁ to X ₂ but from conversion information that has been constructed in which has the property that X ₁ is not known.

The certificate having the above-mentioned property stores at least information indicating that the guarantor has guaranteed the certificate, and further, the identification information ID is encoded by a probabilistic encoding method as required. In this case, a code sentence is stored. In this case, this code sentence is also a target of the signature, and the probability encoding method has a plurality of code sentences for one element.
From a code sentence, little information about the element is obtained. In particular, for a certain code sentence Y ₀ , there are _two code sentences Y ₁ and Y ₂ , one of which has the same _element as Y _0. Even if it is known that they are present, it is not possible to determine these, and it is easy to determine whether a certain value is the original for a code sentence,
A code sentence has a property that another code sentence having the same element can be easily generated without knowing its origin. In some cases, the code sentence Y ₀ is further converted to satisfy and Y _1, assuming that the code statement Y ₂ further converts the Y _1, it is possible to convert the Y ₂ at a time from Y _0, conversion information from the Y ₀ to Y ₂ from Y ₀ Y and conversion information to _1, the Y ₁
It can be easily constructed from the conversion information to Y _2, but those having a property of Y ₁ is not known to be generated in the middle from the conversion information that has been constructed.

Further, the certificate may include the contents of both of these two types of certificates. The ciphertext is used so that the judge can detect the ID of the user of the certificate, and the code text is used to verify whether the certificate matches the ID of the revocation list. As shown in FIG. 1, the service providing method according to the present invention includes a user device U, a service provider device S, and a verifier device V, and further includes a guarantor device A, a guarantor device G, a The government apparatus J is also included, and all of the apparatuses U, S, V, A, G, and J may be a single apparatus having a combination of two or more functions. Such devices can be connected via a communication network or can be directly connected between terminal devices.

[0010] The guarantor issues one or more certificates C for guaranteeing the characteristics (rights and characteristics) to the user by the guarantor device G. The guarantor invalidates the certificate C issued by the guarantor as necessary. The user uses the certificate C issued by the guarantor device G to certify his / her own characteristics to the verifier device V. The verifier apparatus V verifies the contents of the certificate C sent by the user apparatus U, the assurance agent apparatus A, or the service provider apparatus S, confirms the characteristics of the user, and displays the contents in the service provider apparatus. Send to S. Alternatively, the verifier apparatus V may send the information R that the assurance agent apparatus A has guaranteed at least a part of the contents of the certificate C to the assurance agent apparatus A directly or via the service provider apparatus S, or U and via the service provider device S,
The information R is verified and its contents are sent to the service provider device S. The service provider apparatus S provides a service to the user according to the content of the user's characteristic sent by the verifier apparatus G. Judge J will issue certificate C if necessary.
Identify the user more. Further, the judge apparatus J invalidates the user certificate C as necessary. The guarantor agent device A keeps the user certificate C from the user device U or the guarantor device G, and sends it to the user device U, the verifier device V, or the service provider device S when necessary. Alternatively, the assurance agent device A verifies part or all of the content of the received certificate, and if it is valid, information R indicating the assurance.
To the user device U, the service provider device S, or the verifier device V.

There are at least one guarantor device G, user device U, verifier device V, and service provider device S. There are zero or more judge devices J and guarantee agent devices A. However, when there are two or more judge apparatuses J, processing such as identification of the user is performed in accordance with the rules negotiated in these judge apparatuses J. The guarantor issues only one certificate C that guarantees the same characteristics to the user,
There is a way to issue multiple copies. When the user has only one certificate C, the verifier device V or the like cannot uniquely identify the user from the certificate C, but uses the certificate C as an index and designates the user as a specific anonymous person. Monitoring behavior is easy. When a plurality of certificates C are issued, and the user appropriately distinguishes and uses them, it becomes extremely difficult to monitor the behavior by the method described above.

In the present invention, the actual form of each component is arbitrary. Each of these six devices can be implemented as a “machine”, “software on a computer”, or the like. In the present invention, "service"
Refers to everything that benefits the user. Specifically, the provision of information, resources, labor, knowledge, wisdom, and computational power is a “service”. Service provider device S
Is a unit that can be realized in the form of “person”, “organization”, “machine”, “software on a computer”, etc., and provides one or more integrated services. In practice, even when two or more organizations provide one service in cooperation with each other, it is expressed as one service provider device S in the present invention.

In an embodiment, the same device may also serve as a plurality of elements described above. For example, the guarantor device G and the verifier device V may be one device. These combinations are optional.

[0014]

FIG. 2 shows a typical functional configuration of a system to which the method of the present invention is applied. Guarantor device G
Includes a certificate creation unit, a certificate transmission unit, and a certificate revocation unit. The user device U includes a certificate reception unit, a certificate presentation and use unit, a certificate storage and management unit as needed, or an information R. A receiving unit, an information R storage and management unit, and an information R transmitting unit are provided.
The assurance agent device A includes a certificate receiving unit, a certificate storage and management unit, a certificate transmitting unit or an information R creating unit, an information R transmitting unit, and an information R invalidating unit, and the service provider device S receives a certificate. (Or information R receiver), certificate transmitter (or information R)
A transmitting unit), a verification result receiving unit, a service content determining unit, and a service providing unit. The verifier device V includes a certificate receiving unit (or information R receiving unit), a certificate verifying unit (or information R verifying unit), a verification result transmitting unit, and a certificate (or information R) transmitting unit. Has a certificate receiving unit, a user identification unit, and a certificate revocation unit.

FIG. 3A shows an example of a certificate C used in the present invention. The certificate C is a signature s created by the guarantor apparatus G using blind signature technology on information including at least the public key P _B ⁱ , the certification matter M ^j, and the following cipher text E, code text D and c ^{j. j} , a private key S _B ⁱ that can only be used by the user, and a corresponding public key P _B ⁱ (this is a key to be used for the certificate, and is used to uniquely specify the user who can use the certificate. ) And, for example, "characters for driving a normal car" or "20 years or older", "qualifications for driving a normal car, issued on January 16, 1999, valid until January 16, 2004". a characteristic information at least one removed, the content M ^j of the certificate C to ensure, encrypted by probabilistic encryption scheme to the user identification information ID _B with the public key e _J judge device J _Ciphertext E = E _crypt (e _J , ID _B , r ^j )
And a code sentence D obtained by encoding ID _B by a stochastic coding method
= E _code (ID _B , r ' ^j ) and a random number c ^j for improving security are stored. r ^j and r ′ ^j are arbitrary numbers. This probabilistic encryption method has a property that another ciphertext having the same plaintext can be easily generated using only the ciphertext and public information. There is, from the code statement, not obtained little information about the source, to the code statement Y ₀ in particular, two code statements
There are Y ₁ and Y ₂ , and even if it is known that either of them has the same _element as Y _0, it cannot be determined. It has the property that it can be discriminated, and another code sentence having the same element can be easily generated for a code sentence without knowing its origin.
The properties required for these encryption schemes and encoding schemes are necessary in the procedure for issuing the certificate C.

FIG. 3B shows another example of the certificate C. The certificate C has at least a certification matter M, a public key P, and information including the following ciphertext E, codetext D, and supplementary information.
The signature s created by the guarantor apparatus G using the blind signature technique, the public key P corresponding to the secret key S that can be used only by the user, and the certification matter M that is the content guaranteed by the certificate.
And, the public identification information ID of the user of the judge key e _j by the probabilistic encryption method in encrypted ciphertext _{E = E crypt (e j,} ID,
r) and a code sentence D = E in which the ID is coded by the stochastic coding method.
_code (ID, r ') and supplementary information for secure certificate issuance (U ₂ ,…, U _R ), (V ₂ ,…, V _R ), (c ₁ ,…, c _R ) Are stored. r, r 'is any number, R is safe parameters, probabilistic encryption scheme ciphertext X ₀ in addition to having the properties as if set forth for the certificate shown in Figure 3A
Converts the ciphertext X _1, assuming that converts X ₁ further ciphertext X _2, conversion information to convert the X ₂ at a time from X _0, also from X ₀ to X ₂ is, X _Although the conversion information from ₀ to X ₁ and the conversion information from X ₁ to X ₂ can be constructed, it has the property that X ₁ is not known from X ₂ . As with the hybrid coding scheme described certificates shown in FIG. 3A, resulting properties, and in addition to the code statement Y ₁ in which the transformation that satisfies the properties of ~ the code statement Y _0, Y ₁ If the code sentence Y ₂ is obtained by performing a further conversion to Y ₂ , Y ₂ can be converted at once from Y ₀ , and the above conversion information from Y ₀ to Y ₂ is converted from Y ₀ to Y ₁ information and, can be readily constructed from the conversion information from the Y ₁ to Y ₂ have the property that Y ₁ is not known from Y _2.

An example of a procedure for issuing and verifying a certificate shown in FIG. 3A is described in the above-mentioned document, and an example of a procedure for issuing and verifying a certificate shown in FIG. 3B is briefly described at the end. . <Embodiment 1: Basic Model> In the system shown in FIG. 4, before a user uses a service provided by a service provider, issuance of a certificate for proving characteristics necessary for using the service. Is requested by the user device U to the guarantor device G of the guarantor having the role of issuing the certificate. The guarantor device G checks whether or not the user has the required characteristics, that is, whether or not the certificate can be issued by using each means. The certificate C is issued and sent to U (1-1).
The user apparatus U sends the received certificate C to the assurance agent apparatus A (1-2), and the assurance agent apparatus A receives and stores the certificate C.

When using the service, the user transfers the certificate C from the assurance agent device A to the user device U.
(2-1), and sends it to the device S of the service provider (2-2). The service provider device S sends the received certificate C to the verifier device V (2-3). The verifier apparatus V verifies the received certificate C and notifies the service provider apparatus S of the verification result (2-4).
The service provider device S receives the verification result of the certificate C, and provides a service to the user in accordance with the verification result.

When necessary, the judge identifies the user by examining the certificate C with the judge device J.
If necessary, the guarantor device G and the judge device J invalidate the user certificate C. In each verification operation described above, the certificate M of the certificate C is verified to be valid, and that the user is a valid user of the certificate C is determined by the public key (information) of the certificate. Using P, it is verified that the corresponding secret key (information) S is available only to the user. Verification in the following means performing both of these verifications. Also, sending a certificate generally means sending the entire contents of the certificate via a communication network, or directly from one device to another. <Second Embodiment: Extension of Basic Model> As an extension of the basic model of <First Embodiment>, the user device U
Does not send the certificate C to the guarantor device A, but the guarantor device G sends the certificate C directly to the guarantor device A. Further, when the user device U itself stores the certificate C, when the user device U sends the certificate C to the service provider device S, the certificate C is sent from the assurance agent device A. No need to receive. In addition, there is also a case where the user device U instructs the assurance agent device A to send the certificate C directly to the service provider device S or the verifier device V (not through the user device U). is there. Alternatively, the assurance agent apparatus A receives the certificate, issues, for example, a signed one to some or all of the proof matter M of the certificate C, that is, creates information R that guarantees this proof matter, The information R may be sent to the verifier device V directly or to the verifier device V via the service provider device S or the user device U and the service provider device S. The information R has a smaller data amount than the certificate C and is easier to manage.

When there are two or more judge apparatuses J, the process of examining the certificate C to identify the user is performed in accordance with rules preliminarily set in these judge apparatuses J. For example, there are various modifications such as a case where the processing results of all the judge apparatuses J are matched and a case where the processing results are matched by a few percent or more (majority decision). Also,
One form of the “service” may include a process of issuing a certificate (work of a guarantor device) and a process of verifying a certificate (work of a verifier device) in the present invention. In these cases, certificates are used to receive the service.
That is, the service providing method in the present invention may have a nested structure (nested structure or repeated structure).

In all the examples described in this embodiment, the presence or absence of the judge apparatus J and the assurance agent apparatus A is optional unless otherwise specified. This is an example. The job (function) of the guarantor agent device A may be performed by any of the judge device J, the guarantor device G, the verifier device V, and the service provider device S.
As shown in FIG. 5, the same entity (device) is the guarantor device G,
There is a configuration in which the role (function) of any combination of the verifier device V, the service provider device S, the guarantor agent device A, and the judge device J is simultaneously performed. The user device U may send the certificate C directly to the verifier device V, or may present the certificate C via the service provider device S. The assurance agent device A is a certificate or information R for assuring a part or all of the certificate.
May be presented directly to the verifier device V, or may be sent via the service provider device S or via the user device U and the service provider device S. The exchange of information such as certificates between any two parties may be performed via an electronic network, without direct connection between devices,
In some cases, information is transmitted through a device such as an IC card. The user device may use a secure (highly secure) personal terminal such as an IC card as a tool for managing and instructing the certificate C. A plurality of certificates C may be issued at one time. Further, the verifier device V
In a case where the service provider device S and the service provider device S are one device, if a path for transmitting information between the verifier device V and the service provider device S can be secured, these may be appropriately separated. An example. <Example 3: Information browsing service for specific employees>
Before using the internal information browsing service exclusively for a certain range of employees, the guarantor is requested to issue a certificate proving the characteristics necessary for using the service. The manager of each department checks with the guarantor device G whether the user is an employee with the required characteristics, and if the result of the check is appropriate, the device U of the user or the user is designated. A certificate C is issued and sent to the device A of the group server, which is the assurance agent to perform.

When using the service, the user sends the certificate C to the device S of the service provider that provides the in-house information browsing service or the device V such as the general affairs of each business unit as a verifier. However, when the user device does not store the certificate C, the user device U sends the certificate after receiving the certificate from the group server device A, or sends the certificate directly from the device A of the group server. To the device A of the group server.

When the presented device is the device V for the general affairs of each division, the certificate C is verified, and the verification result is notified to the service provider device S of the in-house information browsing service. Further, when the device that has received the certificate is the service provider device S for the in-house information browsing service, the service provider device S sends the certificate to the device V such as the general affairs department of each business unit, And the like, verify the certificate, and notify the service provider device S of the verification result.

The service provider device S has the certificate C
And provide services to the user in accordance with the verification results. The equipment of the human resources department, which is a judge, can limit the use of a user's certificate when the user is transferred or retired. <Embodiment 4: Service ticket for fixed-rate billing service> In the system shown in FIG. 6, the service provider device S has both the function of the guarantor device G and the function of the verifier device V. The user
Before using the service for the first time, the service provider device S
Is requested to issue a certificate C to be used as a service ticket.
When issuing the certificate C, the service provider device S receives from a user information necessary for performing a fixed amount billing such as a monthly fixed amount or an annual fixed amount, and stores the information. Also, the billing and settlement processing is performed simultaneously or thereafter using this information. The service provider device S sends a certificate C to the user device U.
Issue and send. When using the service, the user sends the certificate C to the service provider device S. The service provider device S verifies the certificate C and, after confirming the right, provides a service to the user.

The user device U can present the certificate C to the assurance agent device A and deposit it. In this case, when the user uses the service, the assurance agent device A presents the certificate C of the user to the service provider device S. Alternatively, the assurance agent device A sends information R for guaranteeing a part or all of the contents of the certificate C to the service provider device S. In the following embodiments, the description of using the guarantor agent device A will be omitted, but in any case, the guarantor agent device A may be used as in this embodiment. <Embodiment 5: Ticket for Prepaid Service> In the system shown in FIG. 7, the service provider device S also has the function of the verifier device V. The ticket vending machine G performs the function of a guarantor device. Before using the service for the first time, the user purchases a certificate C as a service ticket from the ticket vending machine G. When issuing the certificate C, the ticket vending machine G receives cash or receives information necessary for performing billing and settlement processing from a user, and performs billing and settlement processing simultaneously or thereafter. . The ticket vending machine G issues and sends a certificate C to the user device U. The issued certificate C may include information for restricting use such as a time limit and the number of times of use. When using the service, the user sends the certificate C to the service provider device S. The service provider device S verifies the certificate C and, after confirming the right, provides a service to the user. <Embodiment 6: Anonymous Membership Ticket> In the system shown in FIG. 8, the membership ticket issuer apparatus G functions as a guarantor apparatus.
Each of one or more service provider devices S _A , S _B , and _{Sc also} has the function of the verifier device V. Before using the service for the first time, the user requests the member ticket issuer to issue a certificate C as a member ticket. After receiving the information necessary for membership registration from the user or after examining the information and determining that there is no problem in issuing the certificate, the member ticket issuer G issues the certificate. Issue a letter C and send it to the user device U. When using any service, the user sends the certificate C to a service provider device (one of S _A , S _B , and S _c ) that provides the service that the user wants to use. The service provider device verifies the certificate C and, after confirming the right, provides a service to the user.

<Embodiment 7: Certification of General-purpose Information> In the system shown in FIG. 5, an example of service realization using a general-purpose certificate C that can be commonly used by a plurality of verifiers is shown. In this example, each entity (device) is a guarantor device G, a user device U,
It performs the function of any combination of the verifier device V, the service provider device S, the guarantor agent device A, and the judge device J. Before using the service for the first time, the user requests one or more devices having the function of the guarantor device G to issue a certificate necessary for using the service. Each of the devices having the function of the guarantor device checks whether or not a certificate can be issued to the user by using respective means, and issues a certificate C to the user device U if possible. send. The user provides the certificate C required for using the service,
It is sent via the device providing the service or directly to a device having the necessary verification function to use the service. The device verifies the received certificate C, and if the verification is successful and the result is notified to the service providing device, the service providing device provides the service to the user.

The characteristics of the user certified by the certificate C include 1) information on physical characteristics such as age, gender, height, weight, blood type, and 2) residence area, nationality, occupation, income, and assets. 3) information indicating relationships with others, such as parent-child relationships, teacher-discipline relationships, friendship relationships,
4) Information indicating the relationship with other groups such as affiliated institutions, home universities, membership clubs, 5) various qualifications such as driver's licenses previously obtained by this user, and 6) tickets for use of some services. Each of these may be certified by a separate certificate, or some may be certified by a single certificate. In some cases, a plurality of certificates may be used to determine whether the user has the right to receive services. <Embodiment 8: Delegation / generation of right using certificate> As a part of the above-described <Embodiment 7>, a user certifies a relationship with a specific other person using a certificate, and There are service provision methods that can exercise some or all of the rights of others. FIG. 9 shows a part of the abstracted model shown in FIG. The "child" has the "parent" device G issue a certificate C for certifying the "parent-child relationship" with the "parent" in order to use the service, and receives this. Alternatively, the guarantor's device, which is not shown in the drawing but proves the "parent-child relationship", may be different from the "parent" device. The “child” receives the certificate P indicating the characteristics of the “parent” from the “parent” device, the guarantor device, or the guarantor agent device thereof. When the "child" uses some service, the certificate C for certifying the "parent-child relationship" and the certificate P for the "parent" are transferred to the service provider device (here, the verifier device) that provides the service that the user wants to use. Function). The service provider device S verifies both certificates P: C, and if there is no problem, provides the service to the “child”.

In the above example, "child", "parent", and "parent-child relationship" can be replaced with arbitrary existences and relationships. For example, the employee receives a service using a certificate proving the rights of the company and a certificate indicating that the employee is an employee of a subsidiary of the company. If the relationships themselves overlap in a complicated manner, such as “children of a child” (grandchild) or “child of a sibling of a parent” (cousin), proof of the relationship is performed in a chain (hierarchical) using multiple certificates. In some cases. <Embodiment 9: Anonymous post office box> In the system shown in FIG. 10, the post office box providing company apparatus G fulfills the function of a guarantor apparatus. The device S of the post office box performs both functions of the verifier device V and the service provider device. Before using the post-office box for the first time, the user purchases a certificate C which is a key for removing the contents from the post-office box from the post-office box providing company. The post-office box providing company apparatus G issues a key certificate C to the user apparatus U and sends it. Thereafter, the user designates a post office box corresponding to the certificate C purchased by the user as a delivery destination of the package (or electronic data) in a transaction with another user. The PO Box will keep the package as soon as it is delivered. When taking out the contents of the post-office box, the user sends the certificate C passed to him to the post-office box apparatus S. The PO box device S verifies the certificate C, and if there is no problem, hands over the contents of the PO box to the user.

The post-office box has various forms of realization, such as a physical safe box at a bank, an in-box for e-mail, and a physical box installed in a convenience store, in addition to a generally used physical mailbox. <Embodiment 10: Secret Voting (1)> In the system shown in FIG. 11, the election manager devices (G, V) have the functions of the guarantor device G and the verifier device V, and the device S of the ballot box is a service. It has the function of the provider device. The user has the election manager (G, V) issue a certificate C to be a voting ticket before voting, and receives the certificate. The user sends the certificate C to the election manager device (G, V) at the time of voting. The election manager device verifies the certificate C and notifies the ballot box device S that the user is allowed to vote if there is no problem. Users vote in the ballot box.

Examples of application of this method include a case where voting is performed via an electronic information network such as a telephone and the Internet, and a case where voting is performed without such voting. <Embodiment 11: Secret Voting (2)> In the system shown in FIG. 12, the government office apparatus G has the function of the guarantor apparatus, the election manager apparatus V has the function of the verifier apparatus, and the ballot box apparatus S
Has the function of a service provider device. Before voting, the user issues a certificate C proving the information necessary for voting to the government office apparatus G and receives it. The user sends the certificate C to the election manager device V at the time of voting. The election manager device verifies the certificate C and, if there is no problem, notifies the ballot box device S that the user is allowed to vote. Users vote in the ballot box.

For example, in a public office election or the like, if a user has certificates C about their place of residence and age, these certificates C are interpreted as voting tickets. In this case, the guarantor device is the issuer device of the certificate C. This system is also an example of the above-mentioned general-purpose information certification system. Examples of the application of this method include a case where voting is performed via an electronic information network such as a telephone and the Internet, and a case where voting is performed without intervening. <Example 12: Realization of negotiation between anonymous persons> FIG. 13 shows that many users participate, and some or all of these participants prove their characteristics to others using certificates. This shows a system that performs some processing. In this system, the user device U has the function of a verifier device (and a service provider device) that verifies the characteristics of another user. In this system, there is one or more guarantor devices.

Before the user certifies his / her characteristic to others for the first time, the appropriate guarantor device issues a certificate C for certifying his / her characteristic and receives it. The user
When negotiating with another party, the self certificate C is sent to the partner apparatus. The device U to which the certificate C has been sent verifies the certificate C, and appropriately handles the user according to the verified contents. By doing this mutually, those having the authority (characteristics) certified by the certificate can mutually negotiate anonymously. In this case, the verification of the certificate C may be performed not by the user device itself but by a verifier device provided separately therefrom. Similarly, the function of the service provider device may be provided separately from the user device U, or the function of the service provider device and the verifier device may be provided separately from the user device U. May be provided, or the service provider device and the verifier device may be separately provided from the user device.

In a place where an unspecified number of participants exchange information, such as an electronic bulletin board, a device of the electronic bulletin board has a function of a service provider device (or a verifier device) and a part of the participants. Publishes information on the electronic bulletin board while proving their characteristics (nationality, gender, age, etc.) using the certificate, and information on the electronic bulletin board while other participants similarly prove their rights with the certificate Information may be exchanged such as obtaining Alternatively, application of matchmaking on the network, implementation of employment / recruitment activities, etc. are also examples. <Example 13: Construction of a trading environment in which anonymous people participate>
In the system shown in Fig. 14, a transaction environment in which multiple anonymous persons can participate is realized. In this system, the organizer's device G has the function of a guarantor device, and the device S at the transaction site has the functions of a verifier device and a service provider device. Before using the trading venue for the first time, the user requests the organizer to issue a certificate C as a participating chapter. When the organizer determines that the participation of the user is appropriate by using any means, the organizer sends one or more certificates as a participation chapter to the user device U. The user sends the certificate C to the device S at the transaction site when using the transaction site. The device S at the transaction site verifies the certificate C and, if there is no problem, permits the user to use the site. At the trading venue,
Various activities such as exchange of information and articles between users and posting and sale of information and articles from the organizer are performed.

For example, the present system can be applied to an auction conducted using an electronic network. Alternatively, there is an application destination such as bidding. <Example 14: Another legend> In the system shown in FIG.
The service provider device S also serves as the guarantor device G.
Before using the service for the first time, the user requests the service provider device S to issue a certificate C that is a service ticket. After performing an appropriate examination for the user, the service provider device S issues a certificate to the user device U and sends the certificate to the user device U if it is determined to be appropriate. The user sends the certificate C to the verifier device V when using the service. Verifier device V
Verifies the contents of the certificate C and its validity, and notifies the service provider apparatus S of the result in text. The service provider device S provides a service to the user according to the result presented by the verifier.

As will be easily understood from the above description, the information R created by the assurance agent device A can be used instead of the certificate C in each of the above-described embodiments. The certificate C = (s, P, M, E, D, (U ₂ ,..., U _R ), (V ₂ ,..., V _R ), (c ₁ , , C _R )) is shown below.

Before starting the protocol, between the user and the guarantor
Therefore, it is assumed that the proof matter M is agreed. protocol
Certificate C used by the user in_o= (s_o, P_o,M_o, E_o, D_o, ...)
Is one of the certificates previously obtained by the user. this
May be given at initialization. The functions gs and gk are
An appropriate one-way hash function, “||” represents a join
You. (1) The user device U is a random number r_k, u_k, v_k, w_k, x_k(1 ≦ k ≦ N, N = low
All parameters), the following value α_k, β_kCalculate
I do. α_k= r_k ^eG・ Gs (Z_k) (mod n_G) (1) β_k= Ecrypt (e_J, r_k|| Z_k, x_k) (2) where X_k= Conv_crypt(e_J, X_k-1, u_k), X₀= E_o (3)  Y_k= Conv_code(Y_k-1, v_k), Y₀= D_o (4) Z_k= gk (P || w_k) || X_k|| Y_k|| M (5) e_G, n_GIs the public key of the guarantor, e_J Is the judge's public key, Conv
_crypt() Converts a ciphertext into another ciphertext having the same plaintext.
Function, Conv_code() Is another code with the same element as the code sentence
This is a function to convert to a sentence.

The user device U creates a signature s _U for the sentence of the expression (6) using the secret key S _o corresponding to the public key _Po , and generates the signature s _U , the certificate C _o , and all α. _k and β _k are sent to the guarantor device G. _{α 1 || α 2 || ··· ||} α N || β 1 || β 2 || ··· || β N (6) (2) guarantor apparatus G is, C _o of the guarantor equipment by using the G's public key to verify the signature s _o, also, using two of the list to be published of the judge unit J (ie, invalid certificate list, invalid ID list), to confirm the validity of the C _o (Details will be described later).
In addition, the guarantor apparatus G is also confirmation signature s _u.

If all of them pass, the guarantor device G appropriately selects NR candidates from the N candidates and sends a subset Ind of this index number to the user device U (N,
R: safety parameter, 0 <R ≦ N). Ind = [k _i], with respect to _{1 ≦ k i ≦ N for 1} ≦ i ≦ N-R (7) (3) The user device U to all k _i contained in Ind, U
_0ki, V _0ki, send r _ki, x _ki, gk the (P || w _ki) to the guarantor apparatus G.

Where U_ijIs X_j= Conv_crypt(e_J, X_i, t)
Value t and V_ijIs Y_j= Conv_code(Y _i, t)
You. From the above definition of stochastic cryptosystem and stochastic code system, U_ij
Is (u_{i + 1}, u_{i + 2}・ ・ ・, U_j) From V_ijIs (v_{i + 1}, v_{i + 2}, ...,
v_j) Can be easily calculated. (4) Procedure for guarantor G
Using the information received in (3), the following α_k ^', Β_k'
(K belongs to Ind), and these are calculated in step (1).
Α received_k, β_kMake sure it matches.

Α_k'= r_k ^eG・ Gs (Z_k') (mod n_G) (8) β_k'= E_crypt(e_J, r_k|| Z_k', x_k) (9) where X_k'= Conv_crypt(e_J, E_o, U_0k) (Ten)  Y_k'= Conv_code(D_o, V_0k,) (11) Z_k' = gk (P || w_k) || X_k'|| Y_k'|| M (12)  The guarantor device G calculates the following value s ′, and substitutes s ′ for the user device.
Return to U. Also, s' and E _o, [β_k] (k does not belong to Ind)
save.

[0041]

(Equation 1) d _G is a secret key corresponding to e _G. (5) The user device U calculates a new certificate C = (s, P, M, E, D,...) as follows. Where k _j is the series (1,2,
3,..., N) indicates the j-th value of a sequence having R elements excluding terms included in Ind.

[0042]

(Equation 2) _{· E = X k1 · D =} Y k1 · (U 2, U 3, ···, U R) = (U k1k2, U k1k3, ···, U k1kR) · (V 2, V 3, ·· _{·, V R) = (V} k1k2, V k1k3, ···, V k1kR) · (c 1, c 2, ···, c R) = (w k1, w k2, ···, w kR) <Verification Protocol> Next, the procedure for verifying this certificate will be described. (1) The user device U sends the certificate C to the verifier device V. (2) The verifier apparatus V performs three verifications on the certificate C.・ Confirm that the following equation holds.

[0043]

(Equation 3) Where X ₁ "= E (15) X _i " = Conv _crypt (e _J , E, U _i ) (i ≧ 2) (16) Y ₁ "= D (17) Y _i " = Conv _code (D, V _i ) (i ≧ 2) (18) Z _i "= gk (P || c _i ) || X _i " || Y _i "|| M (19) The existence (that is, the user) having the corresponding secret key S, the guarantor device G
Guarantees the proof matter M ". Confirm that the user device holds the private key S corresponding to the public key P by using an authentication procedure using an existing public key signature. Check the validity of the certificate C using the two lists published by the judge apparatus J (that is, the invalid ID list and the invalid certificate list). For revoking a certificate, if the certificate C to be invalidated is known, the signature s of the guarantor device G included in the certificate C is registered in the “invalid certificate list”. The certificate including the signature s registered in this list is interpreted as invalid.

However, the guarantor device G does not know which certificate the user has issued. Β _k has been introduced to solve this problem. Guarantor device G
Is s' and E _o , [β _k ] (k
Does not belong to Ind). Judge device J
Decrypts [β _k ] using the secret key d _J to obtain [r _k || Z _k ]
(K does not belong to Ind). Judge J verifies equation (20) below, and if this holds, sign s.

[0045]

(Equation 4) And register it in the "invalid certificate list".

[0046]

(Equation 5) If the equation (20) does not hold, it means that the stored β _k contains false information. If revocation is not performed in certificate units, all processes related to β _k may be omitted.

The judge apparatus J can identify the owner of the certificate from the certificate itself, and can simultaneously invalidate all the certificates possessed by this user. Judge apparatus J _obtains secret key d _J from information E (E = E _crypt (e _J , ID, r)) included in certificate C.
To derive the identifier ID of the user. I
Since D is a unique identifier of each user, the user can be identified from the ID and information such as a name can be obtained. In addition, in order to neutralize, the judge device J sets the ID to "invalid I
D list ".

In a certain certificate, when the code D (= E _code (ID, r ')) included in the certificate corresponds to one of the IDs registered in the invalid ID list, that is, the following expression is used. This certificate is invalid when it is valid. D _code (ID _k , D) = 1 (21) ID _k is an ID registered in the invalid ID list. In the above description, a digital signature using the blind signature technology of the The information stored in the certificate C is the information indicating that the certifier G has guaranteed the items described in the certificate, and the validity of the information can be verified by the verifier V. It would be fine.
In the above description, the secret key S is used as information that can only be used or cannot be known by the user, and the public key P corresponding to this S is used as the user information. Public information corresponding to the above may be used as user information. For example, a value V2 obtained by performing a one-way function operation on a value V1 that can be known only by the user
Is stored as user information, and at the time of verification, from V2,
The fact that the user knows V1 corresponding to V2 may be confirmed by the zero knowledge proof. In the above description, the characteristic information (certification matter) M and the user information (public key P) are stored in the certificate C, but if the characteristic information (certification matter) M guaranteed by the guarantor device G is clear, the characteristic information The certificate itself does not have to be explicitly stated. For example, in the case where a signature using a secret key used only for a specific item is assured, the characteristic information itself need not be described.

[0049]

As described above, when a service is realized by using the present invention, the rights of the user can be confirmed anonymously, and the service can be provided in accordance with the anonymity. Identification is possible.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a system configuration example to which the method of the present invention is applied.

FIG. 2 is a block diagram showing a functional configuration example of each system component in FIG. 1;

FIG. 3 is a diagram showing an example of stored contents of a certificate used in the method of the present invention.

FIG. 4 is a diagram showing an example of a basic model of the method of the present invention.

FIG. 5 is a diagram showing an example of an abstract model of the method of the present invention.

FIG. 6 is a diagram showing an example in which the present invention is applied to a flat-rate billing service.

FIG. 7 is a diagram showing an example in which the present invention is applied to a prepaid service.

FIG. 8 is a diagram showing an example in which the present invention is applied to a service using a membership card.

FIG. 9 is a diagram showing an example in which the present invention is applied to a service of a type in which rights are transferred.

FIG. 10 is a diagram showing an example in which the present invention is applied to an anonymous post office box system.

FIG. 11 is a diagram showing an example in which the present invention is applied to an anonymous voting method.

FIG. 12 is a diagram showing another example in which the present invention is applied to an anonymous voting method.

FIG. 13 is a diagram showing an example in which the present invention is applied to negotiations between anonymous persons.

FIG. 14 is a diagram showing an example in which the present invention is applied to a transaction in which an anonymous person participates.

FIG. 15 is a diagram showing an example in which the present invention is applied to a case where the service provider device has a guarantor function.

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification code FI Theme coat ゛ (Reference) H04L 9/00 675D (72) Inventor Atsushi Terauchi 2-3-1 Otemachi, Chiyoda-ku, Tokyo Nippon Telegraph and Telephone Telephone Co., Ltd. (72) Inventor Eiji Kuwana 2-3-1, Otemachi, Chiyoda-ku, Tokyo Nippon Telegraph and Telephone Corporation (72) Inventor Shoko 2-3-1 Otemachi, Chiyoda-ku, Tokyo Sun F-Term (in reference) 5B049 AA05 BB36 CC16 EE03 EE09 GG04 GG07 GG10 5B055 BB20 CC10 CC13 EE03 EE17 EE21 EE27 FA05 FB03 JJ05 5B085 AA08 AC03 AE13 AE23 AE29 BG07 KA07 A07 KA07 AE07

Claims (15)

[Claims] 1. A certification storing at least information indicating that a guarantor has guaranteed characteristic information excluding at least one of the characteristics of a user and user information corresponding to information that can be used only by the user. A service providing method using a certificate, wherein the user device sends a certificate to the service provider device to request a service, and the service provider device sends the certificate received from the user device to the verifier device, The verifier device verifies the certificate received from the service provider device, and sends the verification result to the service provider device. The service provider device verifies that the verification result received from the verifier device is valid. For example, a service providing method using a certificate, which provides a service to a user of the user device. 2. A certification storing at least information indicating that a guarantor has guaranteed characteristic information excluding at least one of the characteristics of a user and user information corresponding to information that can be used only by the user. A service providing method using a certificate, wherein a certificate is sent from a user device to a service provider device, and the service provider device verifies the received certificate,
A service providing method using a certificate, wherein the service is provided to the user of the user device if the verification result is valid. 3. A certification storing at least information indicating that a guarantor has guaranteed characteristic information excluding at least one of the characteristics of a user and user information corresponding to information usable only by the user. A service providing method using a certificate, wherein a certificate is sent from a user device to a verifier device, the verifier device verifies the received certificate, and sends the verification result to the service provider device, and the service A service providing method using a certificate, wherein the provider device provides a service to a user of the user device if the received verification result is valid. 4. A certification storing at least information indicating that a guarantor has guaranteed characteristic information excluding at least one of the characteristics of a user and user information corresponding to information that can be used only by the user. A method for providing a service using a certificate, wherein a first certificate is sent from a first user device to a second user device, and the second user device verifies the received first certificate;
If the verification is valid, a service is provided to the user of the first user device, a second certificate is sent from the second user device to the first user device, and the first user device is Verify the received second certificate,
A service providing method using a certificate, wherein the service is provided to the user of the second user device if the verification is valid. 5. The method according to claim 1, wherein sending the certificate from the user device to the device is performed via an assurance agent device. Service delivery method. 6. The method according to claim 1, wherein the assurance agent device stores and manages the certificate, and wherein the user device receives the certificate from the assurance agent device and uses the certificate. A service providing method using a certificate, wherein the certificate is transmitted from the party device to the device. 7. A certification storing at least information indicating that a guarantor has guaranteed characteristic information obtained by removing at least one of the characteristics of a user and user information corresponding to information usable only by the user. A service providing method using a certificate, wherein the assurance agent device stores and manages the received certificate, and the assurance agent device transmits information R indicating that at least a part of the content of the stored certificate is assured. The user device receives the information R or sends the information R from the assurance agent device to the service provider device to request a service, and the service provider device sends the received information R to the verifier device. The verifier device verifies the received information R and sends the verification result to the service provider device. If the received verification result is valid, the service provider device verifies the information R. A service providing method using a certificate, which provides a service to a user of a user device. 8. A certification storing at least information indicating that a guarantor has guaranteed characteristic information excluding at least one of the characteristics of a user and user information corresponding to information usable only by the user. A service providing method using a certificate, wherein the assurance agent device stores and manages the received certificate, and the assurance agent device transmits information R indicating that at least a part of the content of the stored certificate is assured. The user device receives the information R, or sends the information R from the assurance agent device to the service provider device, and the service provider device verifies the received information R,
A service providing method using a certificate, wherein the service is provided to the user of the user device if the verification result is valid. 9. A certification storing at least information indicating that a guarantor has guaranteed characteristic information excluding at least one of the characteristics of a user and user information corresponding to information usable only by the user. A service providing method using a certificate, wherein the assurance agent device stores and manages the received certificate, and the assurance agent device transmits information R indicating that at least a part of the content of the stored certificate is assured. The user device receives the information R, or sends the information R from the assurance agent device to the verifier device, the verifier device verifies the received information R, and outputs the verification result to the service provider. A service providing method using a certificate, wherein the service provider device provides a service to a user of the user device if the received verification result is valid. 10. A certification storing at least information indicating that a guarantor has guaranteed characteristic information excluding at least one of the characteristics of a user and user information corresponding to information usable only by the user. A service providing method using a certificate, wherein the assurance agent device stores and manages the received certificate, and the assurance agent device transmits information R indicating that at least a part of the content of the stored certificate is assured. The first user device receives the first information R, or sends the first information R from the assurance agent device to the second user device, and the second user device transmits the received first information R. Verify,
If the verification is valid, the service is provided to the user of the first user device, and the second user device receives the second information R or transmits the second information R from the assurance agent device to the service. Sending to the first user device, the first user device verifies the received second information R,
A service providing method using a certificate, wherein the service is provided to the user of the second user device if the verification is valid. 11. The method according to claim 1, wherein a certificate issuance request is issued from a user to a guarantor device, and the guarantor device receives the certificate issuance request and receives a corresponding certificate. And providing the service to the user device or the assurance agent device using a certificate. 12. The method according to claim 1, wherein a certificate issuance request is made from a user to a service provider device, and the service provider device responds to the certificate issuance request. A service providing method using a certificate, comprising issuing a certificate and sending the certificate to a user device or a guarantee agent device. 13. The method according to claim 1, wherein a certificate issuance request is issued from a user to a verifier device, and the verifier device receives the certificate issuance request and receives a corresponding certificate. And providing the service to the user device or the assurance agent device using a certificate. 14. The method according to claim 11, wherein the user device sends the received certificate to the assurance agent device, and the assurance agent device stores and manages the received certificate. A service providing method using a certificate. 15. The method according to claim 1, wherein the certificate is obtained from one of a user device, a service provider device, a verifier device, a guarantor device, and a guarantor agent device. A service providing method using a certificate, wherein the judge device identifies the user from the received certificate, or invalidates the certificate in addition to the certificate.