US2012137136A1PendingUtilityA1

Group signature scheme

47
Assignee: TERANISHI ISAMUPriority: Jan 21, 2005Filed: Jan 26, 2012Published: May 31, 2012
Est. expiryJan 21, 2025(expired)· nominal 20-yr term from priority
Inventors:Isamu Teranishi
H04L 9/3255H04L 2209/42H04L 9/3013H04L 9/302G09C 1/00
47
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

An efficient and safe group signature scheme is provided. According to the present invention, an open unit is provided to not an issuer but an opener, and a data required for operating the open unit does not include a key pair of the issuer, so that it is possible to accurately operate the open unit even if the issuer generates the public key in an illegal manner. In addition, it is possible to prove that a key pair of a member cannot be counterfeited. It is possible to implement from a discrete logarithm assumption a feature that a cipher text, that is, a portion of a signature text can be decrypted only by the opener in a method which IS the same as a method representing that an ElGamal crypto scheme is safe.

Claims

exact text as granted — not AI-modified
1 . A group signature scheme comprising:
 a step of selecting a random number ρ and generating a Cipher where user-specified information B is encrypted by using a public key of an opener apparatus or a portion thereof and the ρ;   a step where an input means reads a data required for calculation;   a step where a commitment means selects at random u and e′ and acquires a commitment χ_b of a portion b of a public key of the user apparatus, a commitment χ_e of a portion e of the public key of the user apparatus, a commitment χ_u of u, a commitment (d — 1, d — 2) used for verifying a satisfaction of a verification equation associated with an RSA modulus, a commitment d_e of e′, and a commitment ComCipher used for verifying that the Cipher is a valid cipher text;   a step where a challenge means acquires a challenge l;   a step where a response means acquires a response x″ representing a knowledge of a secret key x of the user apparatus, a response e″ representing a knowledge of the e, a response u″ representing a knowledge of the u, a response u″_e representing a knowledge of a product of the u and the e, and a response ρ″ representing a a knowledge of the ρ; and   a step where an output means outputs the responses.   
     
     
         2 . The group signature scheme according to  claim 1 ,
 wherein the public key of the opener apparatus used for calculating the Cipher or a portion thereof include P, Q — 1, and Q — 2,   wherein the Cipher includes G′, H′ — 1, and H′ — 2,   wherein the ComCipher includes the U calculated by performing a scalar product of the G and the ρ′, the V — 1 obtained by adding the scalar product of the G and the x′ to a scalar product of the H — 1 and the ρ′, and the V — 2 obtained by adding the scalar product of the G and the x′ to a scalar product of the H — 2 and the ρ′,   wherein, when the G′, H′ — 1, and H′ — 2 are generated, the user apparatus selects at random a number ρ and calculates G′ that is a scalar product of P and ρ, H′ — 1 that is a scalar product of Q — 1 and ρ, and H′ — 2 that is a scalar product of Q — 2 and ρ,   wherein the commitment means selects at random numbers s, t, x′, t′, u′_e, t′_e, and ρ′ and calculates a commitment d_u of u′,   wherein the χ_b is calculated by multiplying a value obtained by raising a portion h of the public key of the issuer to the power of u with a portion b of a public key of a user,   wherein the χ_e is calculated by subtracting e with a value obtained by raising 2 to the power of a value γ determined based on a security parameter to calculate E, and by multiplying a value obtained by raising a portion g of the public key of the issuer to the power of the E with a value obtained by raising the h to the power of s,   wherein the χ#u is calculated by multiplying a value obtained by raising the g to the power of u with a value obtained by raising the h to the power of the t,   wherein the d — 1 is calculated by multiplying a value obtained by raising a portion a of the public key of the issuer to the power of −x′ with a value obtained by raising the χ_b to the power of e′ and a value obtained by raising the h to the power of a number U,   wherein the U is calculating by inverting a sign of a value obtained by adding the u′e to a value obtained by multiplying a value obtained by raising 2 to the power of the γ with the u′,   wherein the d — 2 is calculated by multiplying a value obtained by raising the χ_u to the power of −e′ with a value obtained by raising the g to the power of the u′_e and a value obtained by raising the h to the power of the t′_e,   wherein the d_e is calculated by multiplying a value obtained by raising the g to the power of the e′ with a value obtained by raising the h to the power of the s′,   wherein the d_u is calculated by multiplying a value obtained by raising the g to the power of the u′ with a value obtained by raising the h to the power of the t′.   
     
     
         3 . The group signature scheme according to  claim 2 , comprising
 a step of calculating a response s″ representing a knowledge of the s, a response t″ representing a knowledge of the t, and a response t″_e representing a knowledge of a product of the t and the e,   wherein the x″ is a value obtained by adding the x′ to a product of the x and the l,   wherein the e″ is a value obtained by adding the e′ to a product of the l and a value obtained by subtracting the e with a value obtained by raising 2 to the power of the λ,   wherein the u″ is a value obtained by adding the u′ to a product of the u and the l,   wherein the s″ is a value obtained by adding the s′ to a product of the s and the l,   wherein the t″ is a value obtained by adding the t′ to a product of the t and the l,   wherein the u″_e is a value obtained by adding the u′e to a product of the l and u and a value obtained by subtracting the e with a value obtained by raising 2 to the power of the λ,   wherein the t″_e is a value obtained by adding the t′_e to a product of the t and l and a value obtained by subtracting the e with a value obtained by raising 2 to the power of the λ,   wherein the ρ″ is a value obtained by adding the ρ′ to a product of the ρ and the l,   wherein the χ_b, the χ_e, the χ_u, the x″, the e″, the u″, the s″, the t″, the u″_e, the t″_e, and the ρ″ are output as a portion of a data.   
     
     
         4 . The group signature scheme according to  claim 3 ,
 wherein the l is a hash value of a data including the (χ_b, (χ_e, χ_u), d — 1, d — 2, (d_e, d_u), (U, V — 1, V — 2)).   
     
     
         5 . The group signature scheme according to  claim 4 ,
 wherein the l is included in a portion of an output data.   
     
     
         6 . The group signature scheme according to  claim 4 ,
 wherein the (χ_b, (χ_e, χ_u), d — 1, d — 2, (d_e, d_u), (U, V — 1, V — 2)) is included in a portion of an output data.   
     
     
         7 . A group signature scheme of a verifying apparatus having an input means for inputting a data, a verifying means for verifying the data and an output means for outputting a verification result of the verifying means,
 wherein the input means inputs publicized information and a data output by a user apparatus and a challenge l,   wherein the data includes χ_b, χ_e, χ_u, x″, e″, u″, s″, t″, u″e, t″_e, and ρ″,   wherein the output means outputs a data representing whether or not a signature text is a valid signature text of a message,   wherein the verifying means comprises a commitment calculating means, a validity verifying means, and a interval verifying means,   wherein the commitment calculating means calculates d — 1̂*, d — 2̂*, d_ê*, d_û*, Û*, V — 1̂*, and V — 2̂*,   wherein the d — 1̂* is a value obtained by multiplying a value obtained by raising a portion a — 0 of a public key of an issuer apparatus to the power of a sign-inverted value of the l with a value obtained by raising a portion a of a public key of an issuer apparatus to the power of a sign-inverted value of the x″, a value obtained by raising χ_b to the power of a value obtained by adding e″ to a product of l and a value obtained by raising 2 to the power of a value γ determined based on a security parameter, and a value obtained by adding u″_e to a product of the u″ and a value obtained by raising 2 to the power of the γ,   wherein the d — 2̂* is obtained by multiplying a value obtained by raising the χ_u to the power of −e″ with a value obtained by raising a portion g of the public key of the issuer apparatus to the power of the u″_e and a value obtained by raising a portion h of the public key of the issuer apparatus to the power of the t″_e,   wherein the d_ê* is obtained by multiplying a value obtained by raising the χ_e to the power of a sign-inverted value of the l with a value obtained by raising the g to the power of the u″_e and a value obtained by raising the h to the power of the s″,   wherein the d_û* is obtained by multiplying a value obtained by raising the χ_u to the power of a sign-inverted value of the l with a value obtained by raising the g to the power of the u″ and a value obtained by raising the h to the power of the t″,   wherein the Û* is a value obtained by adding a scalar product of a sign-inverted value of the l and P to a scalar product of the ρ″ and the G,   wherein the V — 1̂* is a value obtained by adding a scalar product of a sign-inverted value of the l and Q — 1 to a scalar product of the x″ and the G and a scalar product of the ρ″ and the H — 1,   wherein the V — 2̂* is a value obtained by adding a scalar product of a sign-inverted value of the l and Q — 2 to a scalar product of the x″ and the G and a scalar product of the ρ″ and the H — 2, and   wherein the interval verifying means verifies whether or not the x″ and the e″ are included in a predetermined interval.   
     
     
         8 . The group signature scheme according to  claim 7 ,
 wherein the l is included in the data output by the user apparatus.   
     
     
         9 . The group signature scheme according to  claim 8 ,
 wherein the l is a hash value of a data including the (χ_b, (χ_e, χ_u), d — 1̂*, d — 2̂*, (d_ê*, d_û*), (Û*, V — 1̂*, V — 2̂*)).   
     
     
         10 . The group signature scheme according to  claim 7 ,
 wherein the data output by the user apparatus includes seven types of data,   wherein the verifying means uses a hash value of a data including the seven types of data as the l, and   wherein the verifying apparatus verifies whether or not the seven types of data are equal to the d — 1̂*, the d — 2̂*, the d_ê*, the d_û*, the Û*, the V — 1̂*, and the V — 2̂*.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.