Group signature system, device, and program
First Claim
1. A group signature system comprising a group manager device, a signer device and a verifier device capable of communicating with each other, each device using a group signature scheme, whereinthe group manager device comprises:
- a parameter storing module configured to store a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in the group signature scheme;
a group key generating module configured to generate a group secret key including values a, bε
Zq, and a group public key including values g2, f and the generator g1 satisfying a first relational expression g2=g1a and a second relational expression f=g1b, based on the public parameter in the parameter storing module;
a member secret key generating module configured to calculate a member secret key composed of representation (ki1, ki2) satisfying a fourth relational expression f=g1^{ki1}g2^{ki2}, based on the group secret key, the group public key and a third relational expression ki1=b−
aki2 mod q (^ is a symbol representing exponentiation); and
a signer tracing information calculating module configured to calculate signer tracing information Ti=g1^{ki1} based on the member secret key and the generator g1,the signer device comprises;
a signer storing module configured to store the public parameter including the prime order q and the generator g1 of the multiplicative cyclic group G of the prime order q used in the group signature scheme, the group public key, the member secret key, the signer tracing information Ti, and a message;
an encrypted text generating module configured to generate encrypted text data of the signer tracing information Ti by encrypting the signer tracing information Ti based on the public parameter and the group public key in the signer storing module;
a zero-knowledge proof generating module configured to generate a zero-knowledge proof showing that the signer device knows the member secret key and the encrypted text data is correctly generated based on the signer tracing information Ti, based on the public parameter, the group public key, the member secret key and the message in the signer storing module, and the encrypted text data of the signer tracing information Ti; and
a module that transmits, to the verifier device, a group signature composed of the encrypted text data and the zero knowledge proof, and the message, andthe verifier device comprises;
a verifier storing module configured to store the public parameter including the prime order q and the generator g1 of the multiplicative cyclic group G of the prime order q used in the group signature scheme, and the group public key,a module that receives the group signature and the message from the signer device;
a verifying module configured to verify correctness of the group signature, based on the received group signature and message, the public parameter and the group public key in the verifier storing module; and
a module that transmits the verified result to the signer device.
5 Assignments
0 Petitions
Accused Products
Abstract
A group signature system includes a group manager device, a signer device and a verifier device capable of communicating with each other, each device using a group signature scheme. The group manager device generates a group secret key, a group public key, a member secret key and a signer tracing information. The signer device generates an encrypted text data of the signer tracing information, and a zero-knowledge proof showing that the signer device knows the member secret key and the encrypted text data is correctly generated based on the signer tracing information. The signer device transmits, to the verifier device, a group signature composed of the encrypted text data and the zero knowledge proof, and the message. The verifier device verifies correctness of the group signature and transmits the verified result to the signer device.
28 Citations
9 Claims
-
1. A group signature system comprising a group manager device, a signer device and a verifier device capable of communicating with each other, each device using a group signature scheme, wherein
the group manager device comprises: -
a parameter storing module configured to store a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in the group signature scheme; a group key generating module configured to generate a group secret key including values a, bε
Zq, and a group public key including values g2, f and the generator g1 satisfying a first relational expression g2=g1a and a second relational expression f=g1b, based on the public parameter in the parameter storing module;a member secret key generating module configured to calculate a member secret key composed of representation (ki1, ki2) satisfying a fourth relational expression f=g1^{ki1}g2^{ki2}, based on the group secret key, the group public key and a third relational expression ki1=b−
aki2 mod q (^ is a symbol representing exponentiation); anda signer tracing information calculating module configured to calculate signer tracing information Ti=g1^{ki1} based on the member secret key and the generator g1, the signer device comprises; a signer storing module configured to store the public parameter including the prime order q and the generator g1 of the multiplicative cyclic group G of the prime order q used in the group signature scheme, the group public key, the member secret key, the signer tracing information Ti, and a message; an encrypted text generating module configured to generate encrypted text data of the signer tracing information Ti by encrypting the signer tracing information Ti based on the public parameter and the group public key in the signer storing module; a zero-knowledge proof generating module configured to generate a zero-knowledge proof showing that the signer device knows the member secret key and the encrypted text data is correctly generated based on the signer tracing information Ti, based on the public parameter, the group public key, the member secret key and the message in the signer storing module, and the encrypted text data of the signer tracing information Ti; and a module that transmits, to the verifier device, a group signature composed of the encrypted text data and the zero knowledge proof, and the message, and the verifier device comprises; a verifier storing module configured to store the public parameter including the prime order q and the generator g1 of the multiplicative cyclic group G of the prime order q used in the group signature scheme, and the group public key, a module that receives the group signature and the message from the signer device; a verifying module configured to verify correctness of the group signature, based on the received group signature and message, the public parameter and the group public key in the verifier storing module; and a module that transmits the verified result to the signer device.
-
-
2. A group manager device capable of communicating with a signer device and a verifier device, the group manager device comprising:
-
a parameter storing module configured to store a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in a group signature scheme; a group key generating module configured to generate a group secret key including values a, bε
Zq, and a group public key including values g2, f and the generator g1 satisfying a first relational expression g2=g1a and a second relational expression f=g1b, based on the public parameter in the parameter storing module;a member secret key generating module configured to calculate a member secret key composed of representation (ki1, ki2) satisfying a fourth relational expression f=g1^{ki1}g2^{ki2}, based on the group secret key, the group public key and a third relational expression ki1=b−
aki2 mod q (^ is a symbol representing exponentiation);a signer tracing information calculating module configured to calculate signer tracing information Ti=g1^{ki1} based on the member secret key and the generator g1; a module that transmits, to the signer device, the public parameter, the group public key, the member secret key and the signer tracing information Ti to generate a group signature in the group signature scheme; and a module that transmits, to the verifier device, the public parameter and the group public key to verify the group signature in the group signature scheme. - View Dependent Claims (3)
-
-
4. A signer device capable of communicating with a group manager device and a verifier device using a group signature scheme, the signer device comprising:
-
a module that receives, from the group manager device, a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in the group signature scheme;
a group public key including values g2, f and the generator g1 generated, based on the public parameter, to satisfy values a, bε
Zq, a first relational expression g2=g1a and a second relational expression f=g1b;
a member secret key composed of representation (ki1, ki2) generated, based on the values a, bε
Zq, the group public key and a third relational expression ki1=b−
aki2 mod q, to satisfy a fourth relational expression f=g1^{ki1}g2^{ki2} (^ is a symbol representing exponentiation); and
the signer tracing information Ti=g1^{ki1} generated based on the member secret key and the generator g1,a signer storing module configured to store the public parameter, the group public key, the member secret key and the signer tracing information Ti that are received, and a message; a module configured to generate the message and to store the message in the signer storing module; an encrypted text generating module configured to generate encrypted text data of the signer tracing information Ti by encrypting the signer tracing information Ti based on the public parameter and the group public key in the signer storing module; a zero-knowledge proof generating module configured to generate a zero-knowledge proof showing that the member secret key is known and the encrypted text data is correctly generated based on the signer tracing information Ti, based on the public parameter, the group public key, the member secret key and the message in the signer storing module, and the encrypted text data of the signer tracing information Ti, and a module that transmits, to the verifier device, the group signature composed of the encrypted text data and the zero-knowledge proof, and the message.
-
-
5. A verifier device capable of communicating with a group manager device and a signer device used in a group signature scheme, the verifier device comprising:
-
a module that receives, from the group manager device, a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in the group signature scheme, and a group public key including values g2, f and the generator g1 generated, based on the public parameter, to satisfy values a, bε
Zq, a first relational expression g2=g1a and a second relational expression f=g1b;a verifier storing module configured to store the public parameter and the group public key that are received; a module that receives, from the signer device, a member secret key composed of representation (ki1, ki2) generated, based on the values a, bε
Zq, the group public key and a third relational expression ki1=b−
aki2 mod q, to satisfy a fourth relational expression f=g1^{ki1}g2^{ki2} (^ is a symbol representing exponentiation), a group signature, and a message, the group signature being composed of the zero-knowledge proof and the encrypted text data of the signer tracing information Ti, and the zero-knowledge proof showing that, regarding the signer tracing information Ti=g1^{ki1}, the member secret key is known and the encrypted text data is correctly generated based on the signer tracing information Ti;a verifying module configured to verify correctness of the group signature, based on the group signature and the message that are received, the public parameter, and the group public key in the verifier storing module; and a module that transmits the verified result to the signer device, wherein the encrypted text data is data provided by encrypting the signer tracing information Ti by the signer device based on the public parameter and the group public key, and the zero-knowledge proof is data generated by the signer device based on the public parameter, the group public key, the member secret key and the message, and the encrypted text data of the signer tracing information Ti.
-
-
6. A non-transitory computer-readable storage medium storing a program used for a group manager device capable of communicating with a signer device and a verifier device using a group signature scheme, the program comprising:
-
first program code that allows the computer to execute processing of storing a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in the group signature scheme in a memory of the computer; second program code that allows the computer to execute processing of generating, based on the public parameter in the memory, a group secret key including values a, bε
Zq, and a group public key including values g2, f and the generator g1 satisfying a first relational expression g2=g1a and a second relational expression f=g1b;third program code that allows the computer to execute processing of calculating a member secret key composed of representation (ki1, ki2) satisfying a fourth relational expression f=based on the group secret key, the group public key and a third relational expression ki1=b−
aki2 mod q (^ is a symbol representing exponentiation);fourth program code that allows the computer to execute processing of calculating signer tracing information Ti=g1^{ki1} based on the member secret key and the generator g1; fifth program code that allows the computer to execute processing of transmitting, to the signer device, the public parameter, the group public key, the member secret key and the signer tracing information Ti to generate a group signature in the group signature scheme; and sixth program code that allows the computer to execute processing of transmitting, to the verifier device, the public parameter and the group public key to verify the group signature in the group signature scheme. - View Dependent Claims (7)
-
-
8. A non-transitory computer-readable storage medium storing a program used for a signer device capable of communicating with a group manager device and a verifier device using a group signature scheme, the program comprising:
-
first program code that allows the computer to execute processing of receiving, from the group manager device, a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in the group signature scheme;
a group public key including values g2, f and the generator g1 generated, based on the public parameter, to satisfy values a, bε
Zq, a first relational expression g2=g1a and a second relational expression f=g1b;
a member secret key composed of representation (ki1, ki2) generated, based on the values a, bε
Zq, the group public key, and a third relational expression ki1=b−
aki2 mod q, to satisfy a fourth relational expression f=g1^{ki1}g2^{ki2} (^ is a symbol representing exponentiation); and
signer tracing information Ti=g1^{ki1} generated based on the member secret key and the generator g1,second program code that allows the computer to execute processing of storing the public parameter, the group public key, the member secret key and the signer tracing information Ti that are received, and a message; third program code that allows the computer to execute processing of generating the message and storing the message in the memory; fourth program code that allows the computer to execute processing of generating encrypted text data of the signer tracing information Ti by encrypting the signer tracing information Ti based on the public parameter and the group public key in the memory; fifth program code that allows the computer to execute processing of generating a zero-knowledge proof showing that the member secret key is known and the encrypted text data is correctly generated based on the signer tracing information Ti, based on the public parameter, the group public key, the member secret key and the message in the memory, and the encrypted text data of the signer tracing information Ti, and sixth program code that allows the computer to execute processing of transmitting, to the verifier device, the group signature composed of the encrypted text data and the zero-knowledge proof, and the message.
-
-
9. A non-transitory computer-readable storage medium storing a program used for a verifier device capable of communicating with a group manager device and a signer device used in a group signature scheme, the program comprising:
-
first program code that allows the computer to execute processing of receiving, from the group manager device, a public parameter including a prime order q and a generator g1 of a multiplicative cyclic group G of the prime order q used in the group signature scheme, and a group public key including values g2, f and the generator g1 generated, based on the public parameter, to satisfy values a, bε
Zq, a first relational expression g2=g1a and a second relational expression f=g1b;second program code that allows the computer to execute processing of storing the public parameter and the group public key that are received in a memory of the computer; third program code that allows the computer to execute processing of receiving, from the signer device, a member secret key composed of representation (ki1, ki2) generated, based on the values a, bε
Zq, the group public key and a third relational expression ki1=b−
aki2 mod q, to satisfy a fourth relational expression f=g1^{ki1}g2^{ki2} (^ is a symbol representing exponentiation), a group signature, and a message, the group signature being composed of the zero-knowledge proof and the encrypted text data of the signer tracing information Ti, and the zero-knowledge proof showing that, regarding the signer tracing information Ti=g1^{ki1}, the member secret key is known and the encrypted text data is correctly generated based on the signer tracing information Ti;fourth program code that allows the computer to execute processing of verifying correctness of the group signature, based on the group signature and the message that are received, the public parameter, and the group public key in the memory; and fifth program code that allows the computer to execute processing of transmitting the verified result to the signer device, wherein the encrypted text data is data provided by encrypting the signer tracing information Ti by the signer device based on the public parameter and the group public key, and the zero-knowledge proof is data generated by the signer device based on the public parameter, the group public key, the member secret key and the message, and the encrypted text data of the signer tracing information Ti.
-
Specification