Signature verification system, signature-device, verification device, and signature verification method

Abstract

A group structure preserving signature system that can be applied to groups based on symmetric bilinear mapping, that reduces the signature length, and that enables efficient computation of verification equations is provided. At least, information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} are held as a public key vk, and data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are held as a secret key sk. A signature device selects and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, and generates, as a signature , data that includes w, s, t, and r. A verification device verifies the signature by using two verification equations.

Claims

1. A signature verification system comprising: a signature device which includes processing circuitry configured to generate an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user, and to transmit the electronic data and the electronic signature to the verification device via a network, and a verification device, connected to the signature device via the network, which includes processing circuitry configured to receive the electronic data and the electronic signature, and to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, wherein the processing circuitry of the signature device is configured to: record information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(g.sub.u, g.sub.v) and e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.k, h.sub.K} as a public key vk and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} as a secret key sk; select and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, as given below, $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}$ $r={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$ and generate, as a signature , as the electronic signature, data that includes w, s, t, and r; and the processing circuitry of the verification device is configured to: record the public key vk; and check whether two equations
e(g.sub.u,g.sub.v)=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e)(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k) are satisfied, and determine that the electronic signature is correct when the two equations are satisfied, and determine that the electronic signature is incorrect when at least one of the two equations is not satisfied, where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.i represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, . . . , m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, . . . , m.sub.K), {circumflex over ()} represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, g.sub.u, h.sub.u, g.sub.v, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t g.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.u=g.sub.2{circumflex over ()}.sub.u g.sub.v=g.sub.2{circumflex over ()}.sub.v h.sub.v=g.sub.1{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

2. A signature verification system comprising: a signature device which includes processing circuitry configured to generate an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user, and to transmit the electronic data and the electronic signature to the verification device via a network, and a verification device, connected to the signature device via a network, which includes processing circuitry configured to receive the electronic data and to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, wherein the processing circuitry of the signature device is configured to: record information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as a public key vk and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} as a secret key sk; select and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, as given below, $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}$ $r={\left(g_2^{-{}_s.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$ and generate, as a signature , as the electronic signature, data that includes w, s, t, and r; and the processing circuitry of the verification device is configured to: record the public key vk; and check whether two equations
1=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e)(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k) are satisfied, and determine that the electronic signature is correct when the two equations are satisfied, or determine that the electronic signature is incorrect when at least one of the two equations is not satisfied, where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, . . . , m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, . . . , m.sub.K), {circumflex over ()} represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, h.sub.u, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, k.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.v=g.sub.2{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

3. A signature device configured to generate an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user, and to transmit the electronic signature to a verification device, connected to the signature device via a network, that is configured to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, the signature device comprising: processing circuitry configured to record information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(g.sub.u, g.sub.v) and e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as a public key vk and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} as a secret key sk; select and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, as given below, $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}$ $r={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$ and generate, as a signature , as the electronic signature, data that includes w, s, t, and r; where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, . . . , m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, . . . , m.sub.K), {circumflex over ()} represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, g.sub.u, h.sub.u, g.sub.v, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t g.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.u=g.sub.1{circumflex over ()}.sub.u g.sub.v=g.sub.2{circumflex over ()}.sub.v h.sub.v=g.sub.2{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

4. A signature device configured to generate an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user, and to transmit the electronic signature to a verification device, connected to the signature device via a network, that is configured to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, the signature device comprising: processing circuitry configured to record information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as a public key vk and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} as a secret key sk; select and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, as given below, $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}$ $r={\left(g_2^{-{}_u.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$ and generate, as a signature , as the electronic signature, data that includes w, s, t, and r; where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, . . . , m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, . . . , m.sub.K), {circumflex over ()} represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, h.sub.u, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, k.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.v=g.sub.2{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

5. A verification device configured to receive an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user and being received, along with the electronic data, from a signature device, connected to the verification device via a network, and the verification device being configured to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, the verification device comprising: processing circuitry configured to record information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(g.sub.u, g.sub.v) and e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as a public key vk; check whether two equations
e(g.sub.u,g.sub.v)=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e)(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k) are satisfied, and determine that the electronic signature is correct when the two equations are satisfied, or determine that the electronic signature is incorrect when at least one of the two equations is not satisfied, where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, m.sub.K), {circumflex over ()} represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, g.sub.u, h.sub.u, g.sub.v, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t g.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.u=g.sub.1{circumflex over ()}.sub.u g.sub.v=g.sub.2{circumflex over ()}.sub.v h.sub.v=g.sub.2{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

6. A verification device configured to receive an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user and being received, along with the electronic data, from a signature device, connected to the verification device via a network, and the verification device being configured to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, the verification device comprising: processing circuitry configured to record information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as a public key vk; check whether two equations
1=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e)(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k) are satisfied, and determine that the electronic signature is correct when the two equations are satisfied, or determine that the electronic signature is incorrect when at least one of the two equations is not satisfied, where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, . . . , m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, . . . , m.sub.K), A represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, h.sub.u, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, k.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.v=g.sub.2{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

7. A signature verification method used in a signature verification system that includes a signature device which includes processing circuitry configured to generate an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user, and to transmit the electronic data and the electronic signature to the verification device via a network, and a verification device, connected to the signature device via a network, which includes processing circuitry configured to receive the electronic data and to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, the signature verification method comprising: a signature recording step in which the signature device records information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(g.sub.u, g.sub.v) and e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as a public key vk and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} as a secret key sk; a signature generating step in which the signature device selects and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, as given below, $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}$ $r={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$ and generates, as a signature , as the electronic signature, data that includes w, s, t, and r; a verification recording step in which the verification device records the public key vk; and a verifying step in which the verification device checks whether two equations
e(g.sub.u,g.sub.v)=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e)(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k) are satisfied, and determines that the electronic signature is correct when the two equations are satisfied, or determines that the electronic signature is incorrect when at least one of the two equations is not satisfied, where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, . . . , m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, . . . , m.sub.K), {circumflex over ()} represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, g.sub.u, h.sub.u, g.sub.v, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t g.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.u=g.sub.1{circumflex over ()}.sub.u g.sub.v=g.sub.2{circumflex over ()}.sub.v h.sub.v=g.sub.2{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

8. A signature verification method used in a signature verification system that includes a signature device which includes processing circuitry configured to generate an electronic signature that is applied to electronic data, the electronic signature corresponding to a particular user, and to transmit the electronic data and the electronic signature to the verification device via a network, and a verification device, connected to the signature device via a network, which includes processing circuitry configured to receive the electronic data and to verify that the electronic data was transmitted by the particular user by verifying the electronic signature, the signature verification method comprising: a signature recording step in which the signature device records information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as a public key vk and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} as a secret key sk; a signature generating step in which the signature device selects and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, as given below, $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}$ $r={\left(g_2^{-{}_u.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$ and generates, as a signature , as the electronic signature, data that includes w, s, t, and r; a verification recording step in which the verification device records the public key vk; and a verifying step in which the verification device checks whether two equations
1=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e)(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k) are satisfied, and determines that the electronic signature is correct when the two equations are satisfied, or it is determined that the electronic signature is incorrect when at least one of the two equations is not satisfied, where G.sub.1, G.sub.2, and G.sub.T represent groups of order p, e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T, g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2, K represents a predetermined integer not smaller than 1, k represents an integer between 1 and K, both inclusive, m.sub.1, . . . , m.sub.K represent elements of group G.sub.1, message M, as the electronic data, is M=(m.sub.1, . . . , m.sub.K), {circumflex over ()} represents a power; .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} are integers between 0 and p1, both inclusive; and g.sub.s, h.sub.s, g.sub.t, h.sub.t, h.sub.u, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, k.sub.K} are given as follows: g.sub.s=g.sub.1{circumflex over ()}.sub.s h.sub.s=g.sub.1{circumflex over ()}.sub.s g.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.t=g.sub.1{circumflex over ()}.sub.t h.sub.u=g.sub.1{circumflex over ()}.sub.u h.sub.v=g.sub.2{circumflex over ()}.sub.v g.sub.k=g.sub.1{circumflex over ()}.sub.k h.sub.k=g.sub.1{circumflex over ()}.sub.k where k=1, . . . , K.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 is a view showing an example configuration of a signature verification system of the present invention;

(2) FIG. 2 is a view illustrating a processing flow of a signature device;

(3) FIG. 3 is a view illustrating a processing flow of a verification device.

DETAILED DESCRIPTION OF THE EMBODIMENTS

(4) Now, embodiments of the present invention will be described in detail. Components having identical functions will be denoted by the same reference numerals, and a duplicated description thereof will be omitted.

First Embodiment

(5) Configuration and Processing

(6) FIG. 1 shows an example configuration of a signature verification system of the present invention. FIG. 2 illustrates a processing flow of a signature device, and FIG. 3 illustrates a processing flow of a verification device. The signature verification system comprises at least a signature device 100 and a verification device 200. The signature device 100 records a secret key sk and a public key vk and generates a signature with respect to a message M. The verification device 200 records the public key vk and verifies whether the signature is a correct one generated by using the secret key sk for the message M. The public key vk, the message M, and the signature are shared by the signature device 100 and the verification device 200, and the sharing means may use a network or a portable recording medium. In FIG. 1, the signature device 100 and the verification device 200 are connected by a network 800.

(7) The following symbols are used below: G.sub.1, G.sub.2, and G.sub.T represent groups of order p; e represents pairing of G.sub.1G.sub.2.fwdarw.G.sub.T; g.sub.1 represents any generator of group G.sub.1, g.sub.2 represents any generator of group G.sub.2; K represents a predetermined integer not smaller than 1; k represents an integer between 1 and K, both inclusive; m.sub.1, . . . , m.sub.K represent elements of group G.sub.1; message M is M=(m.sub.1, . . . , m.sub.K); {circumflex over ()} represents a power.

(8) A key generating unit 110 selects .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} from integers between 0 and p1, both inclusive. The selection should be made at random. Then, g.sub.s, h.sub.s, g.sub.t, h.sub.t, g.sub.u, h.sub.u, g.sub.v, h.sub.v, {g.sub.1, h.sub.1}, {g.sub.K, h.sub.K} are obtained as follows (S110):

(9) TABLE-US-00002 g.sub.s = g.sub.1{circumflex over ()}.sub.s h.sub.s = g.sub.1{circumflex over ()}.sub.s g.sub.t = g.sub.1{circumflex over ()}.sub.t h.sub.t = g.sub.1{circumflex over ()}.sub.t g.sub.u = g.sub.1{circumflex over ()}.sub.u h.sub.u = g.sub.1{circumflex over ()}.sub.u g.sub.v = g.sub.2{circumflex over ()}.sub.v h.sub.v = g.sub.2{circumflex over ()}.sub.v g.sub.k = g.sub.1{circumflex over ()}.sub.k h.sub.k = g.sub.1{circumflex over ()}.sub.k (k = 1, . . . , K)
These data items may be obtained beforehand and may be used in common for multiple signatures or may be changed each time a signature is generated.

(10) The signature device 100 comprises at least a signature recording unit 190 and a signature generating unit 120. The key generating unit 110 may be comprised in the signature device 100 or in a different unit. The signature device 100 may also comprise a signature input-output unit 180 that exchanges data through the network 800. The signature recording unit 190 records information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(g.sub.u, g.sub.v) and e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K}, as the public key vk, and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.u, .sub.v, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} as the secret key sk (S190). For example, a statement indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, and g.sub.s, h.sub.s, g.sub.t, h.sub.t, g.sub.u, g.sub.v, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} may be held as the public key vk. Alternatively, a statement indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, and g.sub.s, h.sub.s, g.sub.t, h.sub.t, e(g.sub.u, g.sub.v), e(h.sub.u, h.sub.v) {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} may be held as the public key vk.

(11) The signature generating unit 120 selects and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r as given below, and generates data that includes w, s, t, and r as the signature (S120).

(12) $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}{.Math.}_{k=1}^K{m}_k^{-{}_k}\right)}^{1/{}_t}$$r={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}.Math.t^{-{}_t}{.Math.}_{k=1}^K{m}_k^{-{}_k}\right)}^{1/}$

(13) The message M for which the signature is made consists of K elements of group G.sub.1. Ordinary messages are integers of any length, but the message M in the present invention consists of K elements of group G.sub.1. If a message for which a signature is made is short, the message M should be created by padding so as to have K elements of group G.sub.1. One of the elements of group G.sub.1 should be chosen beforehand as the value to be padded with. The signature input-output unit 180 sends the signature a through the network 800 to the verification device 200 (S180).

(14) The verification device 200 comprises at least a verification recording unit 290 and a verifying unit 210. The verification recording unit 290 records the public key vk (S290). The verification device 200 may also comprise a verification input-output unit 280 that exchanges data through the network 800. The verification input-output unit 280 receives the signature through the network 800 (S280).

(15) The verifying unit 210 checks whether the following two equations are satisfied.
e(g.sub.u,g.sub.v)=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e)(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k)

(16) If the two equations are satisfied, the verifying unit 210 determines that the signature is correct. If at least one of the two equations is not satisfied, the verifying unit 210 determines that the signature is incorrect (S210).

(17) Description of Verification Equations

(18) The left side of the first verification equation above is given as follows.

(19) $\begin{array}{c}e\left(g_u,g_v\right)=e\left(g_1^{{}_u},g_2^{{}_v}\right)\\ ={e\left(g_1,g_2\right)}^{{}_u.Math.{}_v}\end{array}$

(20) The right side is given as follows.

(21) $e\left(g_s,s\right)e\left(g_t,t\right)\left(\underset{k=1}{\overset{K}{.Math.}}e\left(g_k,m_k\right)\right)e\left(w,r\right)=e\left(g_1^{{}_s},g_2^{}\right)e\left(g_1^{{}_t},{\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}\right)\left(\underset{k=1}{\overset{K}{.Math.}}e\left(g_1^{{}_k},m_k\right)\right)e\left(g_1^{},{\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}\right)={e\left(g_1,g_2\right)}^{{}_s.Math.}e\left(g_1^{{}_t},{\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\right)}^{1/{}_t}\right)e\left(g_1^{{}_t},{\left(\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}\right)\left(\underset{k=1}{\overset{K}{.Math.}}e\left(g_1^{{}_k},m_k\right)\right)e\left(g_1^{},{\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}.Math.{\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{-{}_t/{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}\right)={e\left(g_1,g_2\right)}^{{}_s.Math.+{}_t.Math.\left({}_u.Math.{}_v-{}_s.Math.\right)/{}_t}{e\left(g_1,g_2\right)}^{.Math.\left({}_u.Math.{}_v-{}_s.Math.-{}_t.Math.\left({}_u.Math.{}_v-{}_s.Math.\right)/{}_t\right)/}\underset{k=1}{\overset{K}{.Math.}}{e\left(g_1,m_k\right)}^{{}_k}\underset{k=1}{\overset{K}{.Math.}}{e\left(g_1,m_k\right)}^{.Math.\left(-{}_k\right)/}{e\left(g_1,\left(\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)\right)}^{{}_t/{}_t}{e\left(g_1,\left(\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)\right)}^{.Math.\left(-{}_t/{}_t\right)/}={e\left(g_1,g_2\right)}^{{}_u.Math.{}_v}$

(22) Accordingly, if the signature is correct, the first equation is satisfied. The left side of the second equation is given as follows.

(23) $\begin{array}{c}e\left(h_u,h_v\right)=e\left(g_1^{{}_u},g_2^{{}_v}\right)\\ ={e\left(g_1,g_2\right)}^{{}_u.Math.{}_v}\end{array}$

(24) The right side is given as follows.

(25) $e\left(h_s,s\right)e\left(h_t,t\right)\underset{k=1}{\overset{K}{.Math.}}e\left(h_k,m_k\right)=e\left(g_1^{{}_s},g_2^{}\right)e\left(g_1^{{}_t},{\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}\right)\underset{k=1}{\overset{K}{.Math.}}e\left(g_1^{{}_k},m_k\right)={e\left(g_1,g_2\right)}^{{}_s.Math.}{e\left(g_1,g_2\right)}^{{}_t.Math.\left({}_u.Math.{}_v-{}_s.Math.\right)/{}_t}\underset{k=1}{\overset{K}{.Math.}}{e\left(g_1,m_k\right)}^{{}_t.Math.\left(-{}_k\right)/{}_t}\underset{k=1}{\overset{K}{.Math.}}{e\left(g_1,m_k\right)}^{{}_k}={e\left(g_1,g_2\right)}^{{}_u.Math.{}_v}$

(26) Accordingly, if the signature is correct, the second equation is satisfied.

(27) Reason why security is provided even with symmetric bilinear mapping

(28) Since symmetric bilinear mapping gives

(29) $\begin{array}{c}e\left(g_1,g_2\right)e\left(g_2,g_1^{-1}\right)=e\left(g_1,g_2\right){e\left(g_2,g_1\right)}^{-1}\\ =1\end{array}$
multiplying by e(g.sub.1, g.sub.2)e(g.sub.2, g.sub.1.sup.1) does not change the result of operations on the groups. For example, the first verification equation can be converted as follows.

(30) $e\left(g_u,g_v\right)=e\left(g_s,s\right)e\left(g_t,t\right)\left(\underset{k=1}{\overset{K}{.Math.}}e\left(g_k,m_k\right)\right)e\left(w,r\right),=e\left(g_s,s\right)e\left(g_t,t\right)e\left(g_1,m_1\right)e\left(g_2,m_2\right)\mathrm{.Math.}e\left(g_K,m_K\right)e\left(w,r\right)=e\left(g_s,s\right)e\left(g_t,t\right)e\left(g_1,m_1\right)e\left(g_1,g_2\right)e\left(g_2,g_1^{-1}\right)e\left(g_2,m_2\right)\mathrm{.Math.}e\left(g_K,m_K\right)e\left(w,r\right)=e\left(g_s,s\right)e\left(g_t,t\right)e\left(g_1,m_1{g}_2\right)e\left(g_2,m_2{g}_1^{-1}\right)\mathrm{.Math.}e\left(g_K,m_K\right)e\left(w,r\right)$

(31) It means that the first equation is satisfied even for a message M=(m.sub.1, m.sub.2, . . . , m.sub.K) that includes m.sub.1 and m.sub.2 which are given by m.sub.1=m.sub.1g.sub.2 and m.sub.2=m.sub.2g.sub.1.sup.1. Accordingly, with symmetric bilinear mapping, the security of the signature cannot be ensured by the single equation alone.

(32) The second equation for the message M will be considered next. The right side of the second equation is given as follows.

(33) 0$e\left(h_s,s\right)e\left(h_t,t\right)e\left(h_1,m_1^{}\right)e\left(h_2,m_2^{}\right)\mathrm{.Math.}e\left(h_K,m_K\right)=e\left(h_s,s\right)e\left(h_t,t\right)e\left(h_1,m_1{g}_2\right)e\left(h_2,m_2{g}_1^{-1}\right)\mathrm{.Math.}e\left(h_K,m_K\right)=e\left(h_s,s\right)e\left(h_t,t\right)e\left(h_1,m_1\right)e\left(h_1,g_2\right)e\left(h_2,g_1^{-1}\right)e\left(h_2,m_2\right)\mathrm{.Math.}e\left(h_K,m_K\right)$

(34) Since e(h.sub.1, g.sub.2)e(h.sub.2, g.sub.1.sup.1) is not 1, the equation does not match the left side, e(h.sub.u, h.sub.v). That is, the second equation is not satisfied. Accordingly, by using the two verification equations, security can be ensured even with symmetric bilinear mapping.

(35) Effects

(36) The signature verification system according to the present invention uses the two verification equations for verification and can ensure security even with symmetric bilinear mapping, like the method in Non-patent literature 3. Accordingly, an encryption protocol can be efficiently configured by combining the digital signature of the present invention with elements (a public key encryption method, commitment, etc.) of a different encryption protocol, generated on groups based on symmetric bilinear mapping. Moreover, since the signature c consists of four group elements w, s, t, and r, the signature length is shorter than that in Non-patent literature 3, which requires seven group elements. The number of pairing operations in verification can be reduced to 7+2K. Accordingly, the amount of computation becomes smaller than that for 10+2K operations in Non-patent literature 3.

(37) Modification

(38) A modification will be described also with reference to FIGS. 1 to 3. A signature verification system of the modification comprises at least a signature device 100 and a verification device 200. The conditions of the groups and variables are the same as those in the first embodiment except that .sub.u and .sub.v are set to 0. In that case, g.sub.u=g.sub.v=1 and e(g.sub.u, g.sub.v)=1, and the public key vk does not require any information to obtain e(g.sub.u, g.sub.v). The secret key sk does not require .sub.u or .sub.v. A signature generating unit 120 should obtain r as follows.

(39) $r={\left(g_2^{-{}_s.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$

(40) A verifying unit 210 should check whether the two equations given below are satisfied.
1=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k)

(41) In other words, the signature verification system of the present invention can be modified to a signature verification system that does not use .sub.u, .sub.v, g.sub.u, or g.sub.v, as follows.

(42) A key generating unit 110 selects .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.1, .sub.1}, . . . , {.sub.K, .sub.K} from integers between 0 and p1, both inclusive. The selection should be made at random. Then, g.sub.s, h.sub.s, g.sub.t, h.sub.t, h.sub.u, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} are obtained as follows (S110):

(43) TABLE-US-00003 g.sub.s = g.sub.1{circumflex over ()}.sub.s h.sub.s = g.sub.1{circumflex over ()}.sub.s g.sub.t = g.sub.1{circumflex over ()}.sub.t h.sub.t = g.sub.1{circumflex over ()}.sub.t h.sub.u = g.sub.1{circumflex over ()}.sub.u h.sub.v = g.sub.2{circumflex over ()}.sub.v g.sub.k = g.sub.1{circumflex over ()}.sub.k h.sub.k = g.sub.1{circumflex over ()}.sub.k (k = 1, . . . , K)

(44) A signature recording unit 190 records information indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, information needed to obtain e(h.sub.u, h.sub.v), and data that includes g.sub.s, h.sub.s, g.sub.t, h.sub.t, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} as the public key vk and records data that includes vk, .sub.s, .sub.s, .sub.t, .sub.t, .sub.u, .sub.v, {.sub.K, .sub.K} as the secret key sk (S190). For example, a statement indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, and g.sub.s, h.sub.s, g.sub.t, h.sub.t, h.sub.u, h.sub.v, {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} may be held as the public key vk. Alternatively, a statement indicating p, G.sub.1, G.sub.2, G.sub.T, e, g.sub.1, and g.sub.2, and g.sub.2, and g.sub.s, h.sub.s, g.sub.t, h.sub.t, e(h.sub.u, h.sub.v), {g.sub.1, h.sub.1}, . . . , {g.sub.K, h.sub.K} may be held as the public key vk.

(45) The signature generating unit 120 selects and at random from integers between 0 and p1, both inclusive, obtains w, s, t, and r, given as follows, and generates, as a signature , data that includes w, s, t, and r (S120).

(46) $w=g_1^{},s=g_2^{},t={\left(g_2^{{}_u.Math.{}_v-{}_s.Math.}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/{}_t}$$r={\left(g_2^{-{}_s.Math.}.Math.t^{-{}_t}\underset{k=1}{\overset{K}{.Math.}}{m}_k^{-{}_k}\right)}^{1/}$

(47) A signature input-output unit 180 sends the signature through the network 800 to the verification device 200 (S180).

(48) The verification device 200 comprises at least a verification recording unit 290 and the verifying unit 210. The verification recording unit 290 records the public key vk (S290). The verification device 200 may comprise a verification input-output unit 280 that exchanges data through the network 800. The verification input-output unit 280 receives the signature through the network 800 (S280).

(49) The verifying unit 210 checks whether the following two verification equations are satisfied.
1=e(g.sub.s,s)e(g.sub.t,t)(.sub.k=1.sup.Ke(g.sub.k,m.sub.k))e(w,r),
e(h.sub.u,h.sub.v)=e(h.sub.s,s)e(h.sub.t,t).sub.k=1.sup.Ke(h.sub.k,m.sub.k)

(50) If the two equations are satisfied, the verifying unit 210 determines that the signature is correct; if at least one of the two equations is not satisfied, the verifying unit 210 determines that the signature is incorrect (S210).

(51) The modification differs from the first embodiment just in that .sub.u and .sub.v are set to 0. In that case, since g.sub.u=g.sub.v=1 and e(g.sub.u, g.sub.v)=1, if the signature is correct, the two equations given above are satisfied.

(52) Like the method in non-patent literature 3, the modification uses the two verification equations in verification and can ensure security even with symmetric bilinear mapping. In addition, because the signature consists of four group elements w, s, t, and r, the signature is shorter than that in Non-patent literature 3, which requires seven group elements. Moreover, the number of paring operations in verification can be reduced to 6+2K. Accordingly, the amount of computation becomes smaller than that for 10+2K operations in Non-patent literature 3.

(53) Program, Recording Medium

(54) Each type of processing described above may be executed not only time sequentially according to the order of description but also in parallel or individually when necessary or according to the processing capabilities of the devices that execute the processing. Appropriate changes can be made to the above embodiments without departing from the scope of the present invention.

(55) When the configurations described above are implemented by a computer, the processing details of the functions that should be provided by each device are described in a program. When the program is executed by a computer, the processing functions described above are implemented on the computer.

(56) The program containing the processing details can be recorded in a computer-readable recording medium. The computer-readable recording medium can be any type of medium, such as a magnetic storage device, an optical disc, a magneto-optical recording medium, or a semiconductor memory.

(57) This program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or a CD-ROM with the program recorded on it, for example. The program may also be distributed by storing the program in a storage unit of a server computer and transferring the program from the server computer to another computer through the network.

(58) A computer that executes this type of program first stores the program recorded on the portable recording medium or the program transferred from the server computer in its storage unit. Then, the computer reads the program stored in its storage unit and executes processing in accordance with the read program. In a different program execution form, the computer may read the program directly from the portable recording medium and execute processing in accordance with the program, or the computer may execute processing in accordance with the program each time the computer receives the program transferred from the server computer. Alternatively, the above-described processing may be executed by a so-called application service provider (ASP) service, in which the processing functions are implemented just by giving program execution instructions and obtaining the results without transferring the program from the server computer to the computer. The program of this form includes information that is provided for use in processing by the computer and is treated correspondingly as a program (something that is not a direct instruction to the computer but is data or the like that has characteristics that determine the processing executed by the computer).

(59) In the description given above, the devices are implemented by executing the predetermined programs on the computer, but at least a part of the processing details may be implemented by hardware.

INDUSTRIAL APPLICABILITY

(60) The present invention can be used as a basic element in a variety of encryption protocols used for electronic money, credentials systems, and the like.

DESCRIPTION OF REFERENCE NUMERALS

(61) 100, 100: Signature device

(62) 110, 110: Key generating unit

(63) 120, 120: Signature generating unit

(64) 180, 180: Signature input-output unit

(65) 190, 190: Signature recording unit

(66) 200, 200: Verification device

(67) 210, 210: Verifying unit

(68) 280, 280: Verification input-output unit

(69) 290, 290: Verification recording unit

(70) 800: Network.