JP2011024011A - Signture generation device, subscriber specifying device, group signature system, and method and program therefor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a signature generation device or the like which allows a subscriber to specify a subscriber specifying person for a group of a plurality of subscribers by one piece of group signature data. <P>SOLUTION: A signature generation device 200 includes: an input part 13 for accepting an input of an issuance administrator public key, a loosing effect administrator public key, and subscriber specifying person information as information about the subscriber specifying person of a group; a storing part 220 for previously storing a member secret key and a member public key of the subscriber; a subscriber specifying person public key acquiring means 212a1 for acquiring a subscriber specifying person public key corresponding to the subscriber specifying person information; a signature generation means 212a2 for generating group signature data including data obtained by encrypting subscriber information included in the member secret key with the use of the subscriber specifying person public key and random numbers common to all the subscriber specifying persons; and an output part 13 for outputting the generated group signature data and subscriber specifying person information. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a group signature scheme, and more particularly to designation of a signer specific person in the scheme.

  The group signature method is a signature method in which a member belonging to a specific group such as a specific company or a specific department operates a signature device to generate an electronic signature indicating that the member is a member of the group. . In the group signature method, a person with special authority has a function of specifying a member who generates a signature. Those who have this authority are called signer identification persons. A person other than the signer-identifier can certainly verify whether a member of the group has generated the signature, but cannot identify the individual member.

  For example, if it is a credit card (“member of the group” = “member of the card”), the member can usually use the service of the card without exposing his / her personal information to the store side. In addition, when unauthorized use occurs, the signer identification person can identify the member who has made the unauthorized use, so the risk of unauthorized use can be suppressed. The signer identification person is specified when the member generates the group signature.

  Regarding the group signature method, the following technical documents are disclosed. Patent Document 1 describes a distribution system that uses a group signature method to suppress damage to key leakage in paid distribution of content such as video. Patent Document 2 describes a service providing system in which when a service for a member is outsourced to an external contractor, it is not necessary to disclose the personal information of the member to the external contractor using a group signature method. Patent Document 3 describes a signature processing method in which the size of a group public key does not have to be proportional to the number of members of the group in the group signature method.

  Non-Patent Documents 1 and 2 include a group signature method using an RSA (Rivest Shamir Adleman) -based encryption method, and Non-Patent Documents 3 to 4 include a pairing-based encryption method. Each signature scheme is described. Non-Patent Document 5 describes a log management system in which a group signature is created each time a file is created, viewed, modified, printed, etc., and this group signature data is stored in a log management server.

JP 2006-203819 A JP 2007-004461 A Japanese Patent No. 3513324

J. Camenisch and J. Groth.Group Signatures: Better Efficiency and New Theoretical Aspects.Security in Communication Networks (SCN2004), vol. 3352 of LNCS, pp. 120--133. Toshiyuki Isshiki, Kengo Mori, Kazue Sako, Isamu Teranishi, and Shoko Yonezawa.Using Group Signature for Identity Management and its Implementation.Workshop on Digital Identity Management (DIM2006), pp. 73--78. Dan Boneh, Xavier Boyen, and Hovav Shacham.Short Group Signatures.Advances in Cryptology --- CRYPTO 2004, vol. 2656 of LNCS, pp. 614-629, Springer-Verlag, 2004. Jan Camenisch, Anna Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. Advances in Cryptology --- CRYPTO 2004, vol. 2139 of LNCS, pp. 388-407, Springer-Verlag, 2004. Ken Ohana, Toshiyuki Isshiki, Kazue Sako, Kunihiko Miyazaki, Yasuhiro Fujii, Yoshinori Honda, “Inking group signature to realize history management considering privacy”, SCIS2009, 3B2-4.

  When there are three groups A, B, and C, the group signature data as a member of group A created by the signer to which group A belongs is a verifier belonging to any of groups A, B, and C. However, it can be seen that the signature data is a legitimately created signature data by a member of group A. However, the signer is designated by the signer in advance. Is only specified. Here, considering that the signer designates the signer identification person for each of the groups A, B, and C, the result when the signer identification person specified in each group specifies the signer is as follows: It is necessary to match.

  However, in the group signature methods described in Patent Documents 1 to 3 and Non-Patent Documents 1 to 5, since only one signer can be specified as the signer, the signer is specified for each group as described above. It was impossible to generate a group signature specifying. In order to solve this, it is conceivable that the same signer creates group signature data in which different signer identification persons are designated for each of the groups A, B, and C. Due to the nature of the verifier, the verifier cannot confirm that the group signature data is actually created by the same signer.

  In this case, it is also conceivable to prove that the plurality of group signature data is generated by the same signer while keeping the signer's ID secret by zero knowledge proof. However, the data length of the signature data required in this case is the sum of the group signature data and the data length of the zero knowledge proof proportional to the number of designated signer identification persons. For example, when this is performed by the method of Non-Patent Document 2, when the recommended security parameter is used, the data length for one signer identification person is about 6000 bits. Since this is generated as many as the number of signer specific persons specified, the data length and the required calculation amount are unrealistic.

  An object of the present invention is to use one group signature data, a signer specifies a signer identification person for a plurality of groups, each of the signer identification persons can specify the same signer, and a signature is generated It is an object of the present invention to provide a signature generation apparatus, a signer identification apparatus, a group signature system, and a method and program thereof that can generate group signature data with a small amount of calculation required for the process and identify the signer.

  In order to achieve the above object, a signature generation apparatus according to the present invention is a signature generation apparatus that generates and outputs a group signature as electronic signature data that proves that one signer who is a member of a group belongs to the group. An input unit that accepts input of the issuer administrator public key and the revocation administrator public key of the group, and signer identifier information that is information on a plurality of signer identifiers to be permitted to be identified; , A storage unit that stores in advance the signer's member private key and member public key, a signer-identifier public key acquisition unit that acquires a signer-identifier public key corresponding to the signer-identifier information, and a signer-identifier Generates group signature data including data obtained by encrypting signer information contained in a member private key using a public key and a random number common to all signer identifiers. And having a signature generating means for, and an output unit for outputting the generated group signature data and the input signatories particular originator information.

  In order to achieve the above object, the signer identification device according to the present invention is a signer belonging to a group with respect to a group signature that is electronic signature data certifying that one signer that is a member of the group belongs to the group. A signer identification device that identifies whether or not there is an input unit that receives an input of a group signature and signer identifier information output from an external signature generation device, and is included in the signer identifier private key and group signature A storage unit that stores in advance a member list that stores a member identifier corresponding to the signer information, a signer identifier private key acquisition unit that acquires a signer identifier private key from the storage unit, and a signer identifier secret When the signer-identifier public key corresponding to the key is included in the signer-identifier information, the signer-identifier private key is used to decrypt the group signature to obtain the signer information A signer identification unit; a member retrieval unit that retrieves a member identifier corresponding to the signer information obtained by decryption from a member list; and an output unit that outputs the retrieved member identifier. To do.

  To achieve the above object, a group signature system according to the present invention includes a signature generation device that generates and outputs a group signature that is electronic signature data that proves that one signer who is a member of a group belongs to the group; A group signature comprising: a verification device for verifying whether the group signature is legitimately generated by a signer belonging to the group; and a signer identification device for identifying who the signer is for the group signature Input of signature identifier information that is information about a signature identifier who is allowed to identify the signature issuer public key and revocation administrator public key of the group, which is a system. A first input unit for receiving the signer, a first storage unit for storing in advance the signer's member private key and member public key, and signer identification information Using the signer-identifier public key acquisition means for acquiring the corresponding signer-identifier public key, the signer-identifier public key, and a random number common to all the signer-identifiers, the member secret key is used. A verification apparatus comprising: signature generation means for generating group signature data including data obtained by encrypting included signer information; and a first output unit for outputting the generated group signature data and signer identification person information Includes a second input unit that receives input of the group signature data and signer identifier information output from the signature generation device, and the group issuance manager public key and revocation manager public key, and its own signer identifier A second storage unit for storing a secret key, a verification unit for verifying whether or not the signature is legitimately generated by a signer belonging to the group signature data group, and a second output unit for outputting a verification result The signer identification device corresponds to a third input unit that accepts input of the group signature and signer identifier information output from the external signature generation device, and corresponds to the signer identifier private key and signer information. A third storage unit that stores in advance a member list that stores member identifiers to be signed, a signer specific person private key acquisition unit that acquires a signer specific person private key from the storage unit, and a signer specific person private key Signer identification means for decrypting the group signature using the signer identifier private key and obtaining the signer information when the corresponding signer identifier public key is included in the signer identifier information, and decrypting And a member search means for searching for a member specifier corresponding to the signer information obtained from the member list, and a third output unit for outputting the searched member specifier.

  To achieve the above object, a signature generation method according to the present invention is a signature generation apparatus that stores in advance a member private key and a member public key of one signer who is a member of a group, and the signer is a group A signature generation method that generates and outputs a group signature, which is digital signature data that certifies that it belongs to the group, and wants to permit the identification of the group's issue administrator public key, revocation administrator public key, and signer Accepts the input of signer identifier information, which is information about the signer identifier, obtains the signer identifier public key corresponding to the signer identifier information, identifies the signer identifier public key and all signers Group signature data including data obtained by encrypting the signer information included in the member secret key is generated using a common random number for the subscriber, and the generated group signature data is generated. And wherein the outputting the signatories specific user information.

  In order to achieve the above object, a signer identification method according to the present invention stores in advance a signer identifier private key and a member list storing member identifiers corresponding to signer information included in the group signature. A signer identification method for identifying who is a signer belonging to a group with respect to a group signature, which is electronic signature data certifying that one signer who is a member of the group belongs to the group, in the signer identification device It accepts the input of the group signature and signer identifier information output from the external signature generator, obtains the signer identifier private key, and discloses the signer identifier corresponding to the signer identifier private key It is determined whether or not the key is included in the signer identifier information. If the signer identifier public key is included in the signer identifier information, the signer identifier private key is used to The signature signature information is obtained by decrypting the loop signature, the member identifier corresponding to the signature information obtained by decryption is retrieved from the member list, and the retrieved member identifier is output. .

  To achieve the above object, a signature generation program according to the present invention is a signature generation apparatus that stores in advance a member private key and a member public key of one signer who is a member of a group. A procedure for accepting input of the signer specific person information that is information about the signer specific person who wants to specify the issuer public key and revocation administrator public key of the group, and the signer Included in the member private key using the procedure for obtaining the signer-identifier public key corresponding to the person-identifier information, the signer-identifier public key, and a random number common to all signer-identifiers The procedure for generating the group signature data including the data obtained by encrypting the signer information and the procedure for outputting the generated group signature data and the signer identification information are executed. Characterized in that to.

  To achieve the above object, the signer identification program according to the present invention stores in advance a signer identifier private key and a member list storing member identifiers corresponding to signer information included in the group signature. A procedure for accepting an input of a group signature and signer specific person information output from an external signature generation apparatus to a computer included in the signer specific apparatus in the signer specific apparatus, and a signer specific person private key A procedure, a procedure for determining whether or not the signer identifier public key corresponding to the signer identifier private key is included in the signer identifier information, and the signer identifier public key in the signer identifier information If it is included, the signer identifier private key is used to decrypt the group signature to obtain the signer information and the member identifier corresponding to the signer information obtained by decryption is registered as a member. A step of searching the bets, characterized in that to execute a step of outputting the retrieved member designator.

  Since the present invention is configured to encrypt the signer information included in the member private key using the signer identifier public key corresponding to the signer identifier information as described above, the signature corresponding to this Only the signer identification person having the person identification person private key can decrypt the signer information and specify the signer. Furthermore, since the signer information is encrypted using a random number common to all the signer identification persons, the amount of calculation required for encryption can be suppressed. As a result, each group signature data can specify the same signer regardless of the number of signer-identifiers, and the amount of calculation and data capacity required for signature generation can be reduced. It is possible to provide a signature generation apparatus, a signer identification apparatus, a group signature system, and a method and program thereof capable of generating small group signature data and identifying a signer.

FIG. 2 is an explanatory diagram showing a configuration of the entire group signature system according to the first embodiment of the present invention. It is explanatory drawing which shows the structure as a hardware of the computer apparatus which functions as an issuer apparatus shown in FIG. 1, a member apparatus, a verification apparatus, a signer identification apparatus, and a revocation manager apparatus. 3 is a flowchart showing an operation of generating a group signature by the member device shown in FIG. 1. 3 is a flowchart illustrating an operation of verifying a group signature by the verification apparatus illustrated in FIG. 1. 3 is a flowchart showing an operation of specifying a signer by the signer specifying device shown in FIG. 1. It is explanatory drawing which shows the structure of the whole group signature system which concerns on the 2nd Embodiment of this invention. 7 is a flowchart showing an operation of generating a group signature by the member device shown in FIG. 6. 7 is a flowchart illustrating an operation of the verification apparatus illustrated in FIG. 6 verifying a group signature. FIG. 7 is a flowchart illustrating an operation in which the signer identification device illustrated in FIG. 6 identifies a signer. It is explanatory drawing which shows the structure of the whole group signature system which concerns on the 3rd Embodiment of this invention. 11 is a flowchart showing an operation of generating a group signature by the member device shown in FIG. 10. 11 is a flowchart showing an operation of verifying a group signature by the verification apparatus shown in FIG. It is a flowchart shown about the operation | movement which identifies the signer performed by the signer identification apparatus shown in FIG. It is explanatory drawing which shows the structure of the whole group signature system which concerns on the 4th Embodiment of this invention. FIG. 15 is a flowchart showing an operation of generating a group signature by the member device shown in FIG. 14. FIG. 15 is a flowchart illustrating an operation of verifying a group signature by the verification apparatus illustrated in FIG. FIG. 15 is a flowchart showing an operation of specifying a signer performed by the signer specifying apparatus shown in FIG. 14. FIG.

(First embodiment)
The configuration of the embodiment of the present invention will be described below with reference to the accompanying drawings.
First, the basic content of the present embodiment will be described, and then more specific content will be described.
The signature generation apparatus (member apparatus 200) according to the present embodiment is a signature generation apparatus that generates and outputs a group signature as electronic signature data certifying that one signer who is a member of a group belongs to the group. An input unit (input / output unit) that accepts input of the signer specific person information that is information on the issuer public key and revocation manager public key of the group and the signer specific person who is permitted to specify the signer 13), a storage unit (member storage unit 220) for storing the signer's member private key and member public key in advance, and a signer-identifier public key for obtaining a signer-identifier public key corresponding to the signer-identifier information The signer information contained in the member private key is obtained by using the key acquisition means 212a, the signer identifier public key, and a random number common to all the signer identifiers. A signature generating unit 212b for generating group signature data, the output unit for outputting the group signature data and the signature's particular originator information generated and (output unit 13) containing Goka data.

  Further, the signer identification device 400 according to the present embodiment determines who is a signer who belongs to a group with respect to a group signature that is digital signature data that proves that one signer that is a member of the group belongs to the group. An identification part identifying device to be identified, an input unit (input / output unit 13) for receiving an input of a group signature and signer identification person information output from an external signature generation apparatus, a signer identification person private key, and a group signature A storage unit (signer identifier storage unit 420) that stores in advance a member list 421 that stores a member identifier (ID) corresponding to the signer information included in the ID, and obtains a signer identifier private key from the storage unit The signer-identifier private key acquisition means 412a1 and the signer-identifier public key corresponding to the signer-identifier private key are included in the signer-identifier information. Signer specifying means 412a2 for obtaining the signer information by decrypting the group signature using the specific person private key, and member search means for searching for the member specifier corresponding to the signer information obtained by decoding from the member list 412a3 and an output unit (input / output unit 13) for outputting the searched member specifier.

By providing this configuration, the present embodiment provides group signature data that can identify the same signer by each of the signer identifiers regardless of the number of signer identifiers. It can be generated and used.
Hereinafter, this will be described in more detail.

In the present specification, first, each of the following persons uses the group signature system according to the embodiment of the present invention.
“Member (signer)” — Generates and uses a group signature, which is signature data belonging to a particular group and belonging to that group.
“Issuer” —generates and issues a group key used to generate a group signature to group members.
“Verifier” —Receives a group signature and verifies whether this group signature was legitimately created by a member of the group.
“Signer Identifier” —identifies who is the member who received the group signature and generated this group signature.
“Revocation Manager” —Revokes a group key held by a specific member of a group.

  In this specification, information indicating who is a member who has generated this group signature is referred to as “signer information”, and information indicating who can identify the member among the signer identification persons. It is called “signer identification person information”.

  In the lines other than the mathematical expressions in this specification, a ^ b means “a raised to the power b”, and a_b indicates a state in which “a is a subscript b”. Furthermore, a remainder group of integer N is denoted as Z_N. That is, Z_N = {0, 1,..., N−1}. A set of elements y of Z_N having x satisfying y = x ^ 2 mod N with respect to the integer N is denoted as QR (N).

  FIG. 1 is an explanatory diagram showing the overall configuration of the group signature system 1 according to the first embodiment of the present invention. The group signature system 1 includes an issuer device 100 in which an issue manager generates and issues a member key to members of a group, a member device 200 in which each member generates a group signature using the issued member key, and a generated group A verification apparatus 300 that verifies the validity of a signature, a signer identification apparatus 400 that identifies a member who has generated a group signature, and a revocation manager apparatus 500 that revokes a member key of a specific member are mutually connected by a network 600. Connected and configured.

  The issuer apparatus 100, member apparatus 200, verification apparatus 300, signer identification apparatus 400, and revocation manager apparatus 500 are all computer apparatuses described later with reference to FIG. Any number of member devices 200 and signer identification devices 400 may be connected to the network 600, but only one device is shown in FIG. 1 for simplicity.

  FIG. 2 is an explanatory diagram showing a hardware configuration of the computer device 10 that functions as the issuer device 100, the member device 200, the verification device 300, the signer identification device 400, and the revocation manager device 500 shown in FIG. is there. The computer device 10 includes a processor 11 that is a main body for executing a computer program, a storage unit 12 that stores the computer program and data, an input / output unit 13 that inputs and outputs data, and another computer device via a network 600. The communication part 14 which performs data communication with is provided.

  Returning to FIG. 1, the processor 11 and the storage unit 12 included in the issuer apparatus 100 are referred to as a processor 110 and an issuer storage unit 120, respectively. In the processor 110, the issuer key generation unit 111 and the issue unit 112 each operate as a computer program. Similarly, the processor 11 and the storage unit 12 included in the member device 200 are referred to as a processor 210 and a member storage unit 220, respectively. In the processor 210, the participation unit 211 and the signature generation unit 212 each operate as a computer program.

  The processor 11 and the storage unit 12 included in the verification device 300 are referred to as a processor 310 and a verifier storage unit 320, respectively. In the processor 310, the verification unit 311 operates as a computer program. The processor 11 and the storage unit 12 included in the signer identification device 400 are referred to as a processor 410 and a signer identification person storage unit 420, respectively. In the processor 410, a signer identification person key generation unit 411 and a signer identification part 412 each operate as a computer program.

  The processor 11 and the storage unit 12 included in the revocation manager device 500 are referred to as a processor 510 and a revocation manager storage unit 520, respectively. In the processor 510, the revocation manager key generation unit 511 and the revocation unit 512 each operate as a computer program.

In the group signature system 1, the following key data is created in advance by some method. Of the following key names, the abbreviation whose second character is “s” (secret) is the secret key, and whose second character is “p” (public) is the public key.
(1) Issue manager private key and issue manager public key (isk, ipk)
(2) Revocation manager private key and revocation manager public key (rsk, rpk)
(3) The signer-identifier private key and the signer-identifier public key (osk [1], opk [1]) to (osk [N], opk [ N])
(4) Member private key and member public key (msk, mpk)

  Each public key ipk, rpk, opk [1] to opk [N], mpk is open to all devices of the group signature system 1. The issue manager private key isk is stored only in the issuer storage unit 120 and can be referred to only from the issuer apparatus 100. Similarly, the revocation manager private key rsk is stored only in the revocation manager storage unit 520 and can be referred only from the revocation manager device 500. The signer-identifier private key osk [i] (i is a natural number and 1 ≦ i ≦ N) is stored only in the signer-identifier storage unit 420 of the signer-identifier, and the signer of the signer-identifier It can be referred only from the specific device 400. The member secret key msk is stored only in the member storage unit 220 of the member and can be referenced only from the member device 200 of the member.

  Each of the public key / private key pair described above is generated by a known key generation unit described in Non-Patent Document 2, for example. However, from the viewpoint of security, it is desirable that the N signer identification persons use common parameters. The common parameters here are, for example, the elliptic curve used for key generation and its base point in the method described in Non-Patent Document 2.

  The issuer key generation unit 111 operating in the issuer apparatus 100 receives the given security parameter and outputs isk and ipk. Similarly, the issuing unit 112 that operates in the issuer apparatus 100 issues msk and mpk to each member in cooperation with the participation unit 211 that operates in the member apparatus 200. The issuing unit 112 receives the security parameters and isk and ipk, and the participating unit 211 receives the security parameters and ipk, rpk, and opk, respectively.

  The signer specific person key generation unit 411 operating in the signer specific apparatus 400 outputs osk [i] and opk [i] (i is a natural number and 1 ≦ i ≦ N) with the security parameter as an input. The revocation manager key generation unit 511 operating on the revocation manager device 500 receives the security parameters and outputs rsk and rpk. Similarly, the revocation unit 512 operating in the revocation manager device 500 receives rsk and rpk and mpk of the member to be revoked, and outputs updated rpk. Using the updated rpk invalidates the group signature generated by the revoked member.

  The signature generation unit 212 operating on the member device 200 includes a signer identification person public key acquisition unit 212a1 and a signature generation unit 212a2. The signer specifying unit 412 operating in the signer specifying device 400 includes a signer specifying person private key acquisition unit 412a1, a signer specifying unit 412a2, and a member search unit 412a3. These and each operation | movement of the verification part 311 which operate | moves with the verification apparatus 300 are mentioned later.

  Further, mpk always includes different signer information h for each member, and a list that uniquely associates the signer information h with an ID for identifying the member is provided in the issuer storage unit 120 and the signer specifyer storage unit 420. Is remembered. These are called member lists 121 and 421, respectively.

  FIG. 3 is a flowchart showing an operation of generating a group signature by the member device 200 shown in FIG. A member who belongs to a group managed by the issuer selects j signer identifiers i_1 to i_j who want to identify a signer (the member himself) from N signer identifiers. (J is a natural number and j ≦ N), ipk, rpk, signer identification information, message M, and other data are input to the signature generation unit 212 of the member device 200, and the input / output unit of the member device 200 13 receives this input (step S11).

  Here, the member storage unit 220 stores in advance a signer specific person list 221 in which the public key of the signer specific person designated by the signer is stored. Alternatively, the signer-identifier list 221 may store information linked to the public key, such as information on the name of the signer-identifier and the location where the public key is disclosed, and a URL.

  The signer specific person public key acquisition unit 212a1 refers to the signer specific person list 221 and acquires the public keys opk [i_1] to opk [i_j] of the signer specific persons specified by the user. These public keys opk [i_1] to opk [i_j] are signer specific person information. The signer identification person public key acquisition unit 212 a 1 reads the mpk and msk of the member from the member storage unit 220. (Step S12).

  The signature generation means 212a2 that has received the above data ipk, rpk, opk [i_1] to opk [i_j], mpk, msk, message M, and so on, obtains the signer information h included in mpk from opk [i_1]. Encryption is performed using opk [i_j] to generate ENC [opk [i_1]] (h) to ENC [opk [i_j]] (h) (step S13).

  Subsequently, the signature generation unit 212a2 includes the group signature data σ including ENC [opk [i_1]] (h) to ENC [opk [i_j]] (h), and the signer specific person information opk [i_1] to opk [i_j. ] Is output (step S14).

  FIG. 4 is a flowchart illustrating an operation in which the verification apparatus 300 illustrated in FIG. 1 verifies the group signature. The verifier inputs the group signature data σ generated by the member device 200 in the operation shown in FIG. 3, the signer identifier identification information opk [i_1] to opk [i_j], and ipk and rpk to the verification device 300 (step) S21). The verification unit 311 performs a group signature verification operation on these data, determines whether the group signature data σ is valid (step S22), and if it is valid, accepts it (step S23). Otherwise, reject (step S24) is output.

  FIG. 5 is a flowchart showing an operation of identifying the signer by the signer identifying apparatus 400 shown in FIG. The signer identifier specifies the group signature data and the signer identifier information opk [i_1] to opk [i_j] generated by the operation shown in FIG. 3 by the member device 200 (step S31). .

  The signer-identifier private key acquisition unit 412a reads the signer-identifier secret key osk [i] stored in the signer-identifier storage unit 420 (step S32). The signer identification means 412a2 includes the public key opk [i] corresponding to its signer identifier private key osk [i] in the received signer identifier information opk [i_1] to opk [i_j]. (Step S33), if it is included, the cipher included in σ is decrypted with the secret key osk [i] to obtain the signer information h (step S34). If the public key opk [i] is not included in the signer specific person information opk [i_1] to opk [i_j] in step S33, a specific failure is output and the process ends (step S37).

  The member search means 412a3 that has obtained the signer information h through the processing up to step S34 reads the member list 421, searches for the ID of the member corresponding to the signer information h, and outputs the ID (steps S35 to S36). ).

(Overall operation of the first embodiment)
Next, the overall operation of the above embodiment will be described. The signature generation method according to the present embodiment is a signature generation apparatus (member apparatus 200) that stores in advance a member private key and a member public key of one signer who is a member of a group, and the signer belongs to the group. A signature generation method for generating and outputting a group signature, which is digital signature data certifying that the signature belongs, and is a signature to be permitted to specify the group's issuing manager public key, revoked manager public key, and signer Accepting input of signer-identifier information, which is information about the person-identifier (FIG. 3: step S11), obtaining a signer-identifier public key corresponding to the signer-identifier information (FIG. 3: step S12), A group containing data obtained by encrypting the signer information contained in the member private key using the signer identifier public key and a random number common to all the signer identifiers. It generates flop signature data (FIG. 3: step S13), and outputs the generated group signature data and the signature's particular originator information (FIG. 3: step S14).

  The signer identification method according to the present embodiment includes a signature that prestores a signer identifier private key and a member list that stores a member identifier (ID) corresponding to signer information included in the group signature. A signer identification method for identifying who is a signer belonging to a group with respect to a group signature, which is electronic signature data that proves that one signer who is a member of the group belongs to the group, in the person identification device 400 The input of the group signature and the signer specific person information output from the external signature generation device is accepted (FIG. 5: step S31), and the signer specific person private key is acquired (FIG. 5: step S32). It is determined whether or not the signer-identifier public key corresponding to the signer-identifier private key is included in the signer-identifier information (FIG. 5: Step S33). When the open key is included in the signer-identifier information, the signer-identifier private key is used to decrypt the group signature to obtain the signer information (FIG. 5: step S34), which is obtained by decryption. The member identifier corresponding to the signer information is retrieved from the member list (FIG. 5: step S35), and the retrieved member identifier is output (FIG. 5: step S36).

Here, each of the above operation steps may be programmed to be executable by a computer, and may be executed by the member device 200 and the signer identification device 400 which are computers that directly execute the steps.
With this configuration and operation, the present embodiment has the following effects.

  In this embodiment, it is possible to generate and use group signature data that can identify the same signer by using one group signature data regardless of the number of signer-identifiers. It becomes possible. The total amount of data such as group signature data related to processing does not increase in proportion to the number of signer specific persons.

  In the present embodiment, any known technique as described in the above-mentioned patent document and non-patent document can be applied to generate the group signature data, but in particular, Non-patent document 1, Non-patent document 3, Non-patent document. It is suitable for the method described in Document 4. These methods do not have a revocation management device, but can be easily applied by making the revocation manager's key pair rsk and rpk empty data. In this case, the common parameters in the method described in Non-Patent Document 1 are a group of ElGamal ciphers and the generation source thereof, and the common parameters in the methods described in Non-Patent Documents 3 and 4 are an elliptic curve to be used and a base point thereof.

(Second Embodiment)
In the second embodiment of the present invention, in addition to the configuration of the first embodiment, the input unit (input / output unit 13) of the signature device (member device 200b) has two or more signer identification persons. The signature generation unit 212b accepts an input of a signer identification person logical structure that can include a logical condition to identify the signer in cooperation, and the signature generation unit 212b generates group signature data using the signer identification person logical structure. Configured.

  Furthermore, the input unit (input / output unit 13) of the signer specifying device 400 can include a logical condition that two or more signer specifying members cooperate to specify the signer. Upon receiving the input of the logical structure, the signer identification unit 412b decrypts the group signature using the signer identification person logical structure.

With this configuration, it is possible to generate group signature data including a condition that two or more signer identification persons cooperate to identify the signer in cooperation.
Hereinafter, this will be described in more detail.

  FIG. 6 is an explanatory diagram showing the overall configuration of the group signature system 1b according to the second embodiment of the present invention. In the group signature system 1b, the hardware and software configurations are the same as those described in the first embodiment, but the operations of the signature generation unit, the verification unit, and the signer identification unit are the first as described later. This is different from that described in the embodiment. These are referred to as a signature generation unit 212b, a verification unit 311b, and a signer identification unit 412b, respectively. The signature generation unit 212b includes a signer identification person public key acquisition unit 212b1 and a signature generation unit 212b2. The signer identification unit 412b includes a signer identifier private key acquisition unit 412b1, a signer identification unit 412b2, and a member search unit 412b3. The member device, the verification device, and the signer identification device are referred to as a member device 200b, a verification device 300b, and a signer identification device 400b, respectively. The hardware configuration of each of these devices is the same as that described in FIG.

  In the group signature system 1 according to the first embodiment, for example, when there are three signer specific persons designated by the signer specific person information, A, B, and C, any one of A, B, and C Or one person could identify the signer. In contrast, in the group signature system 1b according to the second embodiment, the signer identifier information may include a condition that “two or more signer identifiers cooperate to identify the signer”. When this condition is included, for example, “signer identification person A can identify the signer alone. Signer identification persons B and C cannot identify the signer alone, but signer identification persons B and C It is possible to set a condition having an arbitrary logical structure such as “the signer can be identified by cooperation”.

  In the group signature system 1b according to the second embodiment, key data similar to that of the group signature system 1 according to the first embodiment is created in advance and given to each device. The issuer storage unit 120 and the signer identification person storage unit 420 store member lists 121 and 421, respectively, similar to those in the first embodiment.

  FIG. 7 is a flowchart showing an operation of generating a group signature by the member device 200b shown in FIG. A member who belongs to a group managed by the issuer selects j signer identifiers i_1 to i_j who want to identify a signer (the member himself) from N signer identifiers. (J is a natural number and j ≦ N), ipk, rpk, signer specific person information, signer specific person logical structure, message M, and the above data are input to the signature generation unit 212 of the member device 200. The input / output unit 13 of the member device 200b receives this input (step S111).

  Here, the member storage unit 220 stores in advance a signer specific person list 221 in which the public key of the signer specific person designated by the signer is stored. Alternatively, the signer-identifier list 221 may store information linked to the public key, such as information on the name of the signer-identifier and the location where the public key is disclosed, and a URL.

  Further, the signer-identifier logical structure designates a logical structure for the signer-specific authority of the signer-identifiers i_1 to i_j designated by the signer-identifier information. For example, it is described as “identifiable by one person: i_1, i_2” and “identifiable in cooperation: (i_3, i_4), (i_5, i_6, i_7)”. Alternatively, it can be described as “i — 1 OR i — 2 OR (i — 3 AND i — 4) OR (i — 5 AND i — 6 AND i — 7)”. Here, for the sake of simplicity, it is assumed that “one person can specify: i — 1, i — 2” and “cooperative identification: (i — 3, i — 4), (i — 5, i — 6, i — 7)” are described.

The signer specific person public key acquisition unit 212b1 refers to the signer specific person list 221 and acquires the public keys opk [i_1] to opk [i_j] of the signer specific persons specified by the user. Then, the signer identification person public key acquisition unit 212b1 reads the mpk and msk of the member from the member storage unit 220. (Step S112)
The signature generation unit 212b2 that has received the above data, ipk, rpk, opk [i_1] to opk [i_j], signer identifier logical structure, mpk, msk, message M, has received this signer identifier logical structure. Then, the signer information h is encrypted. For the signer identifiers i_1 and i_2 that can be specified by one person, the signature generation unit 212b is a cipher that can be specified individually, ENC [opk [i_1]] (h), ENC [opk [i_2]. ] (H) is generated.

  The signature generation unit 212b generates opk [i_3, i_4], which is a public key corresponding to osk [i_3] and osk [i_4], for a set of signer identifiers i_3 to i_4 that can be identified in cooperation. . Similarly, the signature generation unit 212b applies the public key opk [i_5 corresponding to osk [i_5], osk [i_6], and osk [i_7] to the set of signer identification persons i_5 to i_7 that can be identified in cooperation. , I_6, i_7]. Then, the signature generation unit 212b encrypts the signer information h by using each of the encryption keys, and ENC [opk [i_3, i_4]] (h), ENC [opk [i_5, i_6, i_7]. ]] Is generated (step S113).

  Subsequently, the signature generation unit 212b2 includes ENC [i_1] (h), ENC [i_2] (h), ENC [opk [i_3, i_4]] (h), ENC [opk [i_5, i_6, i_7]]. The group signature data σ, the signer-identifier public key (opk [i_1] to opk [i_j]), which is the signer-identifier information, and the signer-identifier logical structure are output (step S114).

  FIG. 8 is a flowchart illustrating an operation in which the verification apparatus 300b illustrated in FIG. 6 verifies the group signature. The verifier verifies the group signature data, signer identifier information opk [i_1] to opk [i_j], signer identifier logic structure, and ipk and rpk generated by the member device 200b in the operation shown in FIG. 300 is input (step S121).

  The verification unit 311b generates opk [i_3, i_4] corresponding to osk [i_3] and osk [i_4] for the set of signer identification persons i_3 to i_4 that can be identified in cooperation. For the set of signer identification persons i_5 to i_7, the verification unit 311b generates opk [i_5, i_6, i_7] corresponding to osk [i_5], osk [i_6], and osk [i_7]. Then, the verification unit 311b determines whether the group signature data σ is valid using these opk [i_1], opk [i_2], opk [i_3, i_4], opk [i_5, i_6, i_7]. (Step S122), if it is valid, it accepts (Step S123), and if not, it rejects (Step S124).

  FIG. 9 is a flowchart showing an operation in which the signer specifying device 400b shown in FIG. 6 specifies the signer. The group signature data σ generated by the operation shown in FIG. 3 by the member device 200, the signer identifier information opk [i_1] to opk [i_j], and the signer identifier person logical structure are specified by the signer identifier. Input to the device 400b (step S131).

  The signer-identifier private key acquisition unit 412b1 reads the set OSK of the signer-identifier private keys from the signer-identifier storage unit 420. Here, any number of input private keys for the signer identification person may be used as long as the number is one or more. Hereinafter, a case where OSK = (osk [i_3], osk [i_4]) is input will be described as an example (step S132).

  The signer identification means 412b2 confirms that the OSK satisfies the signer identification person logical structure input in step S131. That is, it is confirmed that the secret key included in the OSK satisfies the conditions specified in the signer-identifier logical structure and can identify the signer (step S133). If not satisfied, a specific failure is output and the process is terminated (step S137). If it satisfies, the encryption ENC [opk [i_3], opk [i_4]] (h) included in σ is decrypted using the necessary secret keys osk [i_3], osk [i_4], and the signer information h is obtained. Obtain (step S134).

  The member search unit 412b3 that has obtained the signer information h through the processing up to step S134 reads the member list 421, searches for the ID of the member corresponding to the signer information h, and outputs the ID (steps S135 to 136). ).

(Overall operation of the second embodiment)
Next, the overall operation of the above embodiment will be described. In the signature generation method according to the present embodiment, in addition to the operation of the first embodiment described above, the step of accepting input is a logical condition that two or more signer identification persons cooperate to identify a signer. Is received (FIG. 7: step S111), and the step of generating group signature data generates group signature data using the signer specific person logical structure (FIG. 7: FIG. 7). Step S113).

  The signer identification method according to the present embodiment is such that, in addition to the operation of the first embodiment described above, the step of accepting an input identifies two or more signer identification persons in cooperation with each other. The process of decrypting the group signature is received using the signer specific person logical structure (FIG. 9: Step S131). : Step S134).

Here, each of the above-described operation steps is programmed to be executable by a computer, and is executed by a signature generation device (member device 200b) and a signer identification device 400b, which are computers that directly execute the steps. It may be.
With this configuration and operation, the present embodiment has the following effects.

  In this embodiment, it is possible to generate group signature data including a condition that two or more signers who specify signers cooperate to specify the signers. Therefore, it is possible to specify the user and the signer as compared with the first embodiment. Convenience can be increased. In addition, the total amount of data such as group signature data related to the processing only increases by the amount corresponding to the signer-identifier logical structure, and therefore increases in proportion to the number of signer-identifiers. There is no.

  As in the first embodiment described above, in this embodiment, any known technique such as that described in the above-mentioned patent document and non-patent document can be applied in generating the group signature data. It is suitable for the systems described in Patent Document 1, Non-Patent Document 3, and Non-Patent Document 4. These methods do not have a revocation management device, but can be easily applied by making the revocation manager's key pair rsk and rpk empty data. In this case, the common parameters in the method described in Non-Patent Document 1 are a group of elliptic ElGamal ciphers and a generation source thereof, and the common parameters in the methods described in Non-Patent Documents 3 and 4 are an elliptic curve to be used and a base point thereof.

(Third embodiment)
In the third embodiment of the present invention, in addition to the configuration of the first embodiment described above, the signature generation means 212c2 of the signature device (member device 200c) generates a common random number for all the signer identification persons. It is configured to generate group signature data including data obtained by encrypting signer information.

With this configuration, in the present embodiment, the data length of the group signature data does not increase according to the number of signer specific persons.
Hereinafter, this will be described in more detail.

  FIG. 11 is an explanatory diagram showing the overall configuration of the group signature system 1c according to the third embodiment of the present invention. The group signature system 1c has the same hardware and software configurations as those described in the first and second embodiments, but the operations of the signature generation unit, verification unit, and signer identification unit as will be described later. Is different from that described in the first embodiment. These are referred to as a signature generation unit 212c, a verification unit 311c, and a signer identification unit 412c, respectively. The signature generation unit 212c includes a signer identification person public key acquisition unit 212c1 and a signature generation unit 212c2. The signer identification unit 412c includes a signer identifier private key acquisition unit 412c1, a signer identification unit 412c2, and a member search unit 412c3. The member device, the verification device, and the signer identification device are referred to as a member device 200c, a verification device 300c, and a signer identification device 400c, respectively. The hardware configuration of each of these devices is the same as that described in FIG.

  In the third embodiment of the present invention, the group signature system 1 according to the first embodiment described above is disclosed by the issuer, the signer identification person, the revocation manager, and the members in the group signature system described in Non-Patent Document 2. This is an example realized using a key / secret key.

  In the group signature method described in Non-Patent Document 2 that is also adopted in the present embodiment, the issuer, the signer identification person, the revocation manager, and the public / private keys of the members are as follows. However, κ_n, κ_l, κ_e, κ_ {e ′}, κ, κ_c, and κ_S are all security parameters. From the viewpoint of security, each security parameter is desirably κ_n = κ_l = 1024, κ_e = 504, κ_ {e ′} = 60, κ = 160, κ_c = 160, κ_S = 60 or more.

Issuer public key ipk = (n, a_0, a_1, a_2), issuer private key isk = (p_1, p_2)
Here, p_1 and p_2 are κ_n / 2-bit safe primes, that is, primes having prime numbers p′_1 and p′_2 that satisfy p_1 = 2p′_1 + 1 and p_2 = 2p′_2 + 1. Here, n = p_1p_2. A_0, a_1, and a_2 are elements of QR (n).

Signer specific person public key opk = (q, g, H_1, H_2), signer specific person private key osk = (y_1, y_2)
Here, q is the order of groups G and G for which the DDH (Computational Diffie-Hellman) assumption holds. Further, the generation source g of the group G, H_1 = [y_1] g, and H_2 = [y_2] g.

However, from the viewpoint of security, it is desirable that the signer identification persons 1 to N use the common parameters (q, g). That is, when the key pair of the signer identification person i (1 ≦ i ≦ N) is described as opk [i] and osk [i], the following equation 1 is established.

Revocation manager public key rpk = (l, b, w), revocation manager private key rsk = (l_1, l_2)
l_1 and l_2 are safety prime numbers of κ_l / 2 bits, respectively, and l = l_1l_2. B and w are elements of QR (l).

Public key mpk = (h_i, A_i, e′_i, B_i) of member U_i, secret key msk = x_i of member U_i
Here, h_i, B_i, and a_0a_1 satisfy the relationship shown in Equation 2 below.

  FIG. 11 is a flowchart showing an operation of generating a group signature by the member device 200c shown in FIG. A member who belongs to a group managed by the issuer selects j signer identifiers i_1 to i_j who want to identify a signer (the member himself) from N signer identifiers. (J is a natural number and j ≦ N), ipk, rpk, signer identification information, message M, and the like are input to the signature generation unit 212 of the member device 200, and the input / output unit of the member device 200c 13 receives this input (step S211).

  Here, the member storage unit 220 stores in advance a signer specific person list 221 in which the public key of the signer specific person designated by the signer is stored. Alternatively, the signer-identifier list 221 may store information linked to the public key, such as information on the name of the signer-identifier and the location where the public key is disclosed, and a URL.

  The signer / identifier public key acquisition unit 212c1 refers to the signer / identifier public list 221 and acquires the public keys opk [i_1] to opk [i_j] of the signer / identifier specified by the user. Then, the signer specific person public key acquisition unit 212 c 1 reads mpk_i = (h_i, A_i, e′_i, B_i) and msk_i = x_i of the member from the member storage unit 220. (Step S212) The signature generation means 212c2 that has received ipk, rpk, opk [i_1] to opk [i_j], mpk_i, msk_i, and message M performs the arithmetic processing shown in the following steps S213 to 223.

The signature generation unit 212c2 randomly selects an element ρ_E of Z_ [q] and calculates E represented by Equation 3 (step S213).

In this equation 3, ρ_E becomes the “common random number” in the claims of the present application. For one signer specific person, the signature generation means 212c2 calculates three elements as shown in Equation 4, so if there are j signer specific persons, 3j elements are calculated. .

  In this embodiment, since the random number ρ_E used in these 3j elements is made common to all the signer identifiers, [ρ_E] g that is one of the three elements is all It is common for the signer identification person. Therefore, in practice, only 2j + 1 calculations are required, and the calculation amount can be reduced to almost two thirds.

Following this, the signature generation means 212c2 randomly selects ρ_m of κ_n / 2 bits and calculates A_ [com] and s shown in Equation 5. However, e_i = 2 ^ {κ_ {e}} + e′_i (step S214).

The signature generation unit 212c2 randomly selects ρ_l / 2-bit ρ_r, and calculates B_ [com] and t expressed by Equation 6 (step S215).

  The signature generation unit 212c2 sets λ = κ_n + κ + κ_S and randomly selects λ-bit μ_x. Also, κ_e + (κ_n / 2) + κ_c + κ_S bits of μ_S, κ_ {e ′} + κ_c + κ_S bits of μ_ {e ′}, κ_ {e ′} + κ_l / 2 + κ_c + κ_S bits of μ_t, and Z_q element μ_E are randomly selected. Select (step S216).

The signature generation unit 212c2 calculates V_C expressed by Equation 7 (step S217).

The signature generation unit 212c2 calculates V_M expressed by Equation 8 (step S218).

The signature generation unit 212c2 calculates V_R expressed by Equation 9 (step S219).

The signature generation unit 212c2 calculates c represented by Equation 10 (step S220).

The signature generation unit 212c2 calculates each of τ_x, τ_s, τ_t, τ_ {e ′}, and τ_E expressed by Equation 11 (step S221).

The signature generation unit 212c2 confirms that the conditions shown in Expression 12 are satisfied (step S222). If not established, the process returns to step S216 to randomly select each of the other μ_x, μ_S, μ_ {e ′}, μ_t, and μ_E.

  The signature generation unit 212c2 is obtained by the above calculation (σ = ((E, A_ [com], B_ [com], c, τ_x, τ_S, τ_ {e ′}, τ_t, τ_E), M), The signer identification person information) is output as group signature data (step S223).

  FIG. 12 is a flowchart illustrating an operation in which the verification apparatus 300c illustrated in FIG. 10 verifies the group signature. The verifier inputs the group signature data σ generated by the member device 200c in the operation shown in FIG. 12, the signer identifier identification information opk [i_1] to opk [i_j], and ipk and rpk to the verification device 300 (step) S321). The verification unit 311c performs the operations shown in steps S322 to S324 below on these data, and verifies the group signature.

The verification unit 311c confirms that the conditions indicated by Equation 13 are satisfied (step S322). If established, the process proceeds to step S323 and subsequent steps. If not established, an unacceptable message is output and the process is terminated (step S326).

The verification unit 311c calculates each of τ_e, V′_C, V′_M, and V′_R expressed by Equation 14 (step S323).

The verification unit 311c confirms whether or not the condition shown in Expression 15 is satisfied (step S324), and outputs an acceptance if it is satisfied (step S325), otherwise outputs an unaccepted process. Is finished (step S326).

  FIG. 13 is a flowchart illustrating an operation of identifying a signer performed by the signer identifying apparatus 400c illustrated in FIG. The signer identification person inputs the group signature data and the signer identification person information opk [i_1] to opk [i_j] generated by the member device 200c by the operation shown in FIG. 12 (step S331). .

The signer-identifier private key acquisition unit 412c1 reads the signer-identifier secret key osk [i] stored in the signer-identifier storage unit 420 (step S332). The signer identification unit 412c2 includes the public key opk [i] corresponding to its own signer identifier private key osk [i] in the received signer identifier information opk [i_1] to opk [i_j]. It is determined whether or not (step S333). Here, since osk_ [i] = (y_ {i, 1}, y_ {i_2}), if i_k satisfying the condition shown in Equation 16 exists, the received signer specific person information includes its own The public key corresponding to the signer specific person private key is included.

  If it is determined that it is included in step S333, the process proceeds to step S334 and subsequent steps. If it is determined that it is not included, a failure is output and the process is terminated (step S337). If it is included, the signer specifying means 412c2 decrypts the encryption included in σ with this secret key osk [i_k] to obtain the signer information h (step S334).

More specifically, the parts encrypted with opk [i] included in the element E of the group signature data σ are defined as E_1 and E_2. At this time, the signer specifying means 412c2 calculates S_1 and S_2 shown in Expression 17, and if S_1 = S_2, the signer information h = S_1.

  The member search unit 412c3 that has obtained the signer information h through the processing up to step S334 reads the member list 421, searches for the ID of the member corresponding to the signer information h, and outputs the ID (steps S335 to 336). ).

As described above, this embodiment has the following effects.
Since the present embodiment is configured to generate group signature data including data obtained by encrypting signer information by using a random number common to all signer identifiers, the number of signer identifiers is determined. Assuming j, the amount of calculation can be reduced from 3j to 2j + 1.

(Fourth embodiment)
In the fourth embodiment of the present invention, in addition to the configuration of the second embodiment described above, the input unit (input / output unit 13) of the signature device (member device 200d) has two or more signer identification persons. The signature generation unit 212d accepts an input of a signer identification person logical structure that can include a logical condition to identify the signer in cooperation, and the signature generation unit 212d generates group signature data using the signer identification person logical structure. Configured.

  Furthermore, the input unit (input / output unit 13) of the signer specifying device 400 can include a logical condition that two or more signer specifying members cooperate to specify the signer. The signer identification unit 412d receives an input of the logical structure, and decrypts the group signature using the signer identifier specific logic structure.

By providing this configuration, the effects of both the second and third embodiments described above can be obtained simultaneously.
Hereinafter, this will be described in more detail.

  FIG. 14 is an explanatory diagram showing the overall configuration of the group signature system 1d according to the fourth embodiment of the present invention. The group signature system 1d has the same hardware and software configurations as those described in the first to third embodiments. Is different from that described in the first embodiment. These are referred to as a signature generation unit 212d, a verification unit 311d, and a signer identification unit 412d, respectively. The signature generation unit 212d includes a signer identification person public key acquisition unit 212d1 and a signature generation unit 212d2. The signer identification unit 412d includes a signer identifier private key acquisition unit 412d1, a signer identification unit 412d2, and a member search unit 412d3. The member device, the verification device, and the signer identification device are referred to as a member device 200d, a verification device 300d, and a signer identification device 400d, respectively. The hardware configuration of each of these devices is the same as that described in FIG.

  In the fourth embodiment of the present invention, the group signature system 1b according to the second embodiment described above is disclosed by the issuer, the signer identification person, the revocation manager, and the members in the group signature system described in Non-Patent Document 2. It is an example in the case of realizing using a key / secret key.

  In the group signature method described in Non-Patent Document 2 that is also adopted in the present embodiment, the issuer, the signer identification person, the revocation manager, and the public / private keys of the members are as follows. However, κ_n, κ_l, κ_e, κ_ {e ′}, κ, κ_c, and κ_S are all security parameters. From the viewpoint of security, each security parameter is desirably κ_n = κ_l = 1024, κ_e = 504, κ_ {e ′} = 60, κ = 160, κ_c = 160, κ_S = 60 or more.

Issuer public key ipk = (n, a_0, a_1, a_2), issuer private key isk = (p_1, p_2)
Here, p_1 and p_2 are κ_n / 2-bit safe primes, that is, primes having prime numbers p′_1 and p′_2 that satisfy p_1 = 2p′_1 + 1 and p_2 = 2p′_2 + 1. Here, n = p_1p_2. A_0, a_1, and a_2 are elements of QR (n).

Signer specific person public key opk = (q, g, H_1, H_2), signer specific person private key osk = (y_1, y_2)
Here, q is the order of groups G and G for which the DDH (Computational Diffie-Hellman) assumption holds. Further, the generation source g of the group G, H_1 = [y_1] g, and H_2 = [y_2] g.

However, from the viewpoint of security, it is desirable that the signer identification persons 1 to N use the common parameters (q, g). That is, when the key pair of the signer identification person i (1 ≦ i ≦ N) is described as opk [i] and osk [i], the following Expression 18 is established.

Revocation manager public key rpk = (l, b, w), revocation manager private key rsk = (l_1, l_2)
l_1 and l_2 are safety prime numbers of κ_l / 2 bits, respectively, and l = l_1l_2. B and w are elements of QR (l).

Public key mpk = (h_i, A_i, e′_i, B_i) of member U_i, secret key msk = x_i of member U_i
Here, h_i, B_i, and a_0a_1 satisfy the relationship shown in Equation 19 below.

  FIG. 15 is a flowchart showing an operation of generating a group signature by the member device 200d shown in FIG. A member who belongs to a group managed by the issuer selects j signer identifiers i_1 to i_j who want to identify a signer (the member himself) from N signer identifiers. (J is a natural number and j ≦ N), ipk, rpk, signer specific person information, signer specific person logical structure, message M, and other data are input to the signature generation unit 212 of the member device 200 ( Step S411).

  In the present embodiment, for simplicity, the signer information is the public key opk [i_1] to opk [i_7] of the signer identifier, and the signer identifier logical structure is the same as that described in the second embodiment. The description will be made on the assumption that “identifiable by one person: i_1, i_2” and “identifiable by cooperation: (i_3, i_4), (i_5, i_6, i_7)” are input. Any number of public keys of the signer identification person may be input as long as it is one or more, and any logical expression may be used as long as the logical structure is a satisfactory logical expression.

  The signer-identifier public key acquisition unit 212c1 refers to the signer-identifier list 221 to acquire the public keys opk [i_1] to opk [i_j] of the signer-identifier specified by the user. The signer specific person public key acquisition unit 212c1 reads mpk_i = (h_i, A_i, e'_i, B_i) and msk_i = x_i of the member from the member storage unit 220 (step S412).

  The signature generation unit 212d having received the above data ipk, rpk, opk [i_1] to opk [i_j], signer identifier logical structure, mpk_i, msk_i, message M, and so on, Accordingly, the arithmetic processing shown in the following steps S413 to 423 is performed.

The signature generation unit 212d2 calculates opk [i_3, i_4] and opk [i_5, i_6, i_7] by the calculation shown in Equation 20 below (step S413).

Subsequently, the signature generation unit 212d2 randomly selects an element ρ_E of Z_ {q}, and calculates E by the calculation shown in the following formula 21 (step S414).

  In this equation 21, ρ_E becomes the “common random number” as defined in the claims of the present application. The effect of this “common random number” is the same as that described in the third embodiment (step S213 in FIG. 12).

Subsequently, the signature generation unit 212d2 randomly selects ρ_n / 2-bit ρ_m, and calculates A_ [com] and s by the calculation shown in Equation 22 below (step S415). However, e_i = 2 ^ {κ_ {e}} + e′_i.

Subsequently, the signature generation unit 212d2 randomly selects ρ_n / 2-bit ρ_r, and calculates B_ [com] and t by the calculation shown in the following Expression 23 (step S416).

  Subsequently, the signature generation unit 212d2 sets λ = κ_n + κ + κ_S and randomly selects λ-bit μ_x. Also, κ_e + (κ_n / 2) + κ_c + κ_S bit μ_S, κ_ {e ′} + κ_c + κ_S bit μ_ {e ′}, κ_ {e ′} + κ_l / 2 + κ_c + κ_S bit μ_t, and Z_q element μ_E are randomly selected. (Step S417).

Subsequently, the signature generation unit 212d2 calculates V_C by the calculation shown in the following Expression 24 (step S418).

Subsequently, the signature generation unit 212d2 calculates V_M by the calculation shown in the following formula 25 (step S419).

Subsequently, the signature generation unit 212d2 calculates V_R by the calculation shown in the following Expression 26 (Step S420).

Subsequently, the signature generation unit 212d2 calculates c by the calculation shown in the following Expression 27 (step S421).

Subsequently, the signature generation unit 212d2 calculates each of τ_x, τ_s, τ_t, τ_ {e ′}, and τ_E by the calculation shown in the following Equation 28 (step S422).

The signature generation unit 212d2 confirms that the conditions represented by Equation 29 are satisfied (step S423). If not established, the process returns to step S417 to randomly select each of the other μ_x, μ_S, μ_ {e ′}, μ_t, and μ_E.

  The signature generation unit 212d2 is obtained by the above calculation (σ = ((E, A_ [com], B_ [com], c, τ_x, τ_S, τ_ {e ′}, τ_t, τ_E), M), The signer identification person information) is output as group signature data (step S424).

  FIG. 16 is a flowchart illustrating an operation in which the verification apparatus 300d illustrated in FIG. 14 verifies the group signature. The verifier verifies the group signature data σ generated by the operation shown in FIG. 15 by the member device 200d, the signer identifier information opk [i_1] to opk [i_j], the signer identifier logical structure, and ipk and rpk. Input to the apparatus 300 (step S521). The verification unit 311d performs the calculation shown in steps S522 to S524 below on these data, and verifies the group signature.

  In the present embodiment, for simplicity, the signer information is the public key opk [i_1] to opk [i_7] of the signer identifier, and the signer identifier logical structure is the same as that described in the second embodiment. The description will be made on the assumption that “identifiable by one person: i_1, i_2” and “identifiable by cooperation: (i_3, i_4), (i_5, i_6, i_7)” are input. Any number of public keys of the signer identification person may be input as long as it is one or more, and any logical expression may be used as long as the logical structure is a satisfactory logical expression.

The verification unit 311c performs the calculation represented by Equation 30 and confirms that the conditions represented by Equation 31 are satisfied (Step S522). If established, the process proceeds to step S523 and subsequent steps. If not established, an unacceptable message is output and the process is terminated (step S526).

The verification unit 311c calculates each of the expressions 32 (step S523).

The verification unit 311d confirms whether or not the condition shown in Expression 33 is satisfied (step S524). If the condition is satisfied, the verification unit 311d outputs an acceptance (step S525). Is finished (step S526).

  FIG. 17 is a flowchart showing an operation of identifying a signer performed by the signer identifying apparatus 400d shown in FIG. The group signature data generated by the member device 200d in the operation shown in FIG. 15, the signer specific person information opk [i_1] to opk [i_j], and the signer specific person logical structure are respectively represented by the signer specific persons i_3 and i_4. Is input to the signer identification device 400d (step S531).

  Each signer specifying unit 412d reads each signer specifyer private key osk [i_3] and osk [i_4] stored in the signer specifyer storage unit 420 (step S532), and receives the received signer specify The public key opk [i] corresponding to the signer specific person private key osk [i] is included in the signer information opk [i_1] to opk [i_j], and they satisfy the signer specific person logical structure. It is determined whether or not (step S533).

  If it is determined that the condition is satisfied in step S533, the process proceeds to step S534 and subsequent steps. If it is determined that the condition is not satisfied, a failure is output and the process is terminated (step S537). If it satisfies, the signer specifying unit 412d uses the secret keys osk [i_3] and osk [i_4] to include the ciphers (E_0, E_ {i_3, i_4, 1}, E_ {i_3, i_4, 2}). And signer information h is obtained (step S534).

More specifically, the signer specifying unit 412d calculates each of the opk and osk represented by Equation 34, further calculates S_1 and S_2 represented by Equation 35, and if S_1 = S_2, the signer information h = S_1.

  The signer identification unit 412d that has obtained the signer information h through the processing up to step S534 reads the member list 421, searches for the ID of the member corresponding to the signer information h, and outputs the ID (step S535). 536).

As described above, this embodiment has the following effects.
As in the third embodiment, this embodiment is configured to generate group signature data including data obtained by encrypting the signer information using a random number common to all the signer identifiers. Therefore, if the number of signer identification persons is j, the amount of calculation can be reduced from 3j to 2j + 1. In addition, since it is possible to generate group signature data that includes a condition that two or more signer identification persons cooperate to specify the signer, the convenience for the user and the signer identification person can be increased. .

  The present invention has been described with reference to the specific embodiments shown in the drawings. However, the present invention is not limited to the embodiments shown in the drawings, and any known hitherto provided that the effects of the present invention are achieved. Even if it is a structure, it is employable.

  The present invention can be applied to all digital data using an electronic signature. This is particularly useful in electronic signatures where it is necessary to prove that the signer belongs to a specific group.

1, 1b, 1c, 1d group signature system 10 computer device 11, 110, 210, 310, 410, 510 processor 12 storage unit 13 input / output unit 14 communication unit 100 issuer device 111 issuer key generation unit 112 issue unit 120 issue Member storage unit 121, 421 Member list 200, 200b, 200c, 200d Member device 211 Participating means 212, 212b, 212c, 212d Signature generation unit 220 Member storage unit 221 Signer identification person list 300, 300b, 300c, 300d Verification device 311 311b, 311c, 311d Verification means 320 Verifier storage unit 400, 400b, 400c, 400d Signer identification device 411 Signer identification key generation means 412, 412b, 412c, 412d Signer identification means 42 Signatories particular person storage unit 500 revocation manager device 511 revocation administrator key generation unit 512 revocation unit 520 revocation manager storage unit 600 network

Claims (14)

A signature generation device that generates and outputs a group signature as electronic signature data certifying that one signer who is a member of a group belongs to the group,
An input unit that accepts input of signer-identifier information that is information about a plurality of signer-identifiers to be permitted to identify the issuer public key and revocation manager public key of the group and the signer; and
A storage unit for previously storing the signer's member private key and member public key;
A signer-identifier public key acquisition means for acquiring a signer-identifier public key corresponding to the signer-identifier information;
Group signature data including data obtained by encrypting signer information included in the member secret key is generated using the signer identifier public key and a random number common to all the signer identifiers. Signature generation means;
A signature generation apparatus comprising: an output unit that outputs the generated group signature data and the input signature identifier information. The input unit accepts input of a signer-identifier logical structure that may include a logical condition that two or more signer-identifiers cooperate to identify a signer;
The signature generation apparatus according to claim 1, wherein the signature generation unit generates the group signature data using the signer-identifier logical structure. A signer identification device that identifies who is the signer belonging to the group with respect to a group signature that is electronic signature data certifying that one signer who is a member of the group belongs to the group,
An input unit that receives input of the group signature and signer specific person information output from an external signature generation device;
A storage unit that stores in advance a signer-identifier private key and a member list that stores member identifiers corresponding to signer information included in the group signature;
A signer specific person private key obtaining means for obtaining the signer specific person private key from the storage unit;
When the signer-identifier public key corresponding to the signer-identifier private key is included in the signer-identifier information, the signer is obtained by decrypting the group signature using the signer-identifier private key. A signer identification means for obtaining information;
Member search means for searching a member identifier corresponding to the signer information obtained by decryption from the member list;
And an output unit for outputting the retrieved member specifier. The input unit accepts input of a signer-identifier logical structure that may include a logical condition that two or more signer-identifiers cooperate to identify a signer;
4. The signer identification device according to claim 3, wherein the signer identification unit decrypts the group signature by using the signer identifier logical structure. A signature generation device that generates and outputs a group signature, which is electronic signature data certifying that one signer who is a member of the group belongs to the group; and the group signature is legitimately assigned by the signer belonging to the group A group signature system comprising: a verification device that verifies whether or not the signature is generated; and a signer identification device that identifies who the signer is for the group signature,
The signature generation device accepts input of the issuer administrator public key and the revocation administrator public key of the group, and the signer identifier information that is information about the signer identifier to be permitted to identify the signer. A first input unit; a first storage unit that stores in advance the member's private key and member public key of the signer; and a signer identification that acquires a signer identifier public key corresponding to the signer identifier information Data obtained by encrypting signer information included in the member private key using a signer public key acquisition means, the signer identifier public key, and a random number common to all the signer identifiers A signature generation means for generating group signature data including a first output unit for outputting the generated group signature data and the signer identification information;
A second input unit that receives input of the group signature data output from the signature generation device, the signer identifier information, and the group issuance manager public key and revocation manager public key; A second storage unit that stores its own signer-identifier private key, a verification unit that verifies whether the group signature data is legitimately generated by the signer belonging to the group, A second output unit for outputting a result of the verification;
A third input unit that accepts input of the group signature and signer identifier information output from an external signature generator, and a member corresponding to the signer identifier private key and signer information A third storage unit that stores in advance a member list that stores a specific child; a signer specific person private key acquisition unit that acquires the signer specific person private key from the storage unit; and the signer specific person private key Signer identification means for obtaining signer information by decrypting the group signature using the signer identifier private key when the signer identifier public key corresponding to is included in the signer identifier information And member search means for searching the member list corresponding to the signer information obtained by decryption from the member list, and a third output unit for outputting the searched member specifier. Group signature system according to claim. The first input unit accepts an input of a signer-identifier logical structure that may include a logical condition that two or more signer-identifiers cooperate to identify a signer;
The signature generation means generates the group signature data using the signer-identifier logical structure;
6. The group signature system according to claim 5, wherein the signer identification unit decrypts the group signature by using the signer identifier logical structure. In a signature generation apparatus that stores in advance a member private key and a member public key of one signer who is a member of a group, a group signature which is electronic signature data certifying that the signer belongs to the group A signature generation method for generating and outputting,
Accepting the input of the issuer administrator public key and revocation administrator public key of the group, and the signer identifier information that is information about the signer identifier to be permitted to identify the signer,
Obtaining a signer-identifier public key corresponding to the signer-identifier information;
Generating group signature data including data obtained by encrypting signer information included in the member secret key using the signer identifier public key and a random number common to all the signer identifiers ,
A signature generation method comprising outputting the generated group signature data and the signer identification information. The step of accepting the input accepts an input of a signer-identifier logical structure that can include a logical condition that two or more signer-identifiers cooperate to identify the signer;
8. The signature generation method according to claim 7, wherein the step of generating the group signature data generates the group signature data using the signer-identifier logical structure. One signer who is a member of a group in a signer identification device storing in advance a signer identifier private key and a member list storing member identifiers corresponding to signer information included in the group signature A signer identification method for identifying who is the signer belonging to the group with respect to a group signature that is electronic signature data certifying that the group belongs to the group,
Accepting the input of the group signature and signer specific person information output from an external signature generation device,
Obtaining the signer specific person private key;
Determining whether the signer-identifier public key corresponding to the signer-identifier private key is included in the signer-identifier information;
When the signer-identifier public key is included in the signer-identifier information, the signer-identifier private key is used to decrypt the group signature to obtain signer information,
A member specifier corresponding to the signer information obtained by decryption is searched from the member list,
A signer identification method characterized by outputting the retrieved member identifier. The step of accepting the input accepts an input of a signer-identifier logical structure that can include a logical condition that two or more signer-identifiers cooperate to identify the signer;
The signer identification method according to claim 9, wherein the step of decrypting the group signature includes decrypting the group signature using the signer identifier logic structure. In a signature generation apparatus that stores in advance a member private key and a member public key of one signer who is a member of a group, the computer included in the signature generation apparatus includes:
A procedure for receiving input of signer identifier information that is information about the issuer administrator public key and the revocation administrator public key of the group, and the signer identifier to be permitted to identify the signer;
Obtaining a signer-identifier public key corresponding to the signer-identifier information;
Group signature data including data obtained by encrypting signer information included in the member secret key is generated using the signer identifier public key and a random number common to all the signer identifiers. Procedure and
A signature generation program that executes the generated group signature data and a procedure for outputting the signer identification information. The step of accepting the input accepts an input of a signer-identifier logical structure that may include a logical condition that two or more signer-identifiers cooperate to identify the signer;
12. The signature generation program according to claim 11, wherein the step of generating the group signature data generates the group signature data by using the signer identifier logical structure. A signer identification device storing in advance a signer identifier private key and a member list storing member identifiers corresponding to the signer information included in the group signature, the computer comprising the signer identification device ,
A procedure for accepting input of the group signature and signer specific person information output from an external signature generation device;
Obtaining the signer specific person private key;
Determining whether or not a signer-identifier public key corresponding to the signer-identifier private key is included in the signer-identifier information;
A procedure for obtaining the signer information by decrypting the group signature using the signer-identifier private key when the signer-identifier public key is included in the signer-identifier information;
Searching the member list for a member identifier corresponding to the signer information obtained by decryption;
And a procedure for outputting the retrieved member identifier. The step of accepting the input accepts an input of a signer-identifier logical structure that may include a logical condition that two or more signer-identifiers cooperate to identify the signer;
14. The signer identification program according to claim 13, wherein the step of decrypting the group signature uses the signer identifier logical structure to decrypt the group signature.

Images