Method and apparatus for en-bloc verification of plural digital signatures and recording medium with the method recorded thereon

Abstract

Upon receiving a message {ID′i−1, X′i−1, m′i−1, Yi−1} from a signer (i−1), a signer i generates a random number ri, then calculates Xi=gri mod p using pieces of public information p, q and g, then sets X′i=(X′i−1, Xi), m′i=(m′i−1, mi), then calculates ei=fi(X′i, m′i), di=hi(X′i, m′i) with public one-way functions fi and hi, calculates yi=(yi−1+diri+eisi) mod q using a secret random number si, sets ID′i=(ID′i−1, IDi), and sends information {ID′i,X′i,m′i,y′i} to the next signer (i+1). A verifier calculates ei and di with the one-way functions fi and hi using X′L and m′L contained in received information {ID′L, X′L, m′L, yL}, and makes a check to see if gyL≡X1d1 ILe1 . . . XLdL ILeL (mod p), thereby verifying signatures of the signers en bloc.

Description

BACKGROUND OF THE INVENTION

The present invention relates to a method and apparatus which enable a verifier to conduct an en-bloc verification of individual, multiple or superimposed signatures electronically attached by a plurality of signers to one or more electronified documents in a system for decision making by circulating them to the signers. The invention also pertains to a recording medium with the verification method recorded thereon.

A typical digital signature scheme is one that utilizes the RSA cryptosystem (R. L. Rivest, et al., “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, Vol. 21, No. 2, pp.120-126 (1978)). The RSA cryptosystem is such as described below.

A signer A generates a signature key (d, N) and a verification key (e, N) so that they satisfy

N=P×Q

e×d≡1(mod L)

where L=LCM{(P−1), (Q−1)}

Then the signer A publishes the verification key while keeping the signature key in secret. In the above, LCM{a, b} represents the least common multiple of the integers a and b, and P and Qare assumed to be two large different prime numbers. Further, a≡b(mod L) represents that a-b is a multiple of L.

The RSA cryptosystem is a cryptosystem that bases its security on the difficulty in factorizing N into prime numbers when the N is large. It is difficult to compute the d-component of the secret signature key from the published verification key (N, e).

A verifier B keeps the verification key (e, N) of the signer A in combination with his identification information (ID). A trusted center may sometimes holds such verification keys in the form of a public information management directory.

A signature function D and averification function E are defined as follows:

D( m )= m d mod N

E( y )= y e mod N

It is possible to show that the following equation holds true for an integer m which satisfies 0≦m<N.

E(D( m ))= m

where a mod N represents the remainder that results from the division of a by N.

The digital signature scheme utilizing the RSA cryptosystem is such as described below. The signer A generates f(m) from a document m using a one-way function f, then adds thereto a signature y=D(f(m)) using the secret signature function D, and sends a combination (ID, m, y) of his identification information (ID), the document m and the signature y as a signed message to the verifier B.

The verifier B retrieves the verification key information (e, N) of the signer A from the public information management file using the signer's identification information ID as the key therefor, then computes E(y)=y e mod N from the y-component of the signed message through the use of the retrieved verification key information (e, N), nd makes a check to see if E(y) matches f(m) derived from m using he one-way function f. If E(y)=f(m), then the verifier B judges that the sender is the genuine signer A and that the signed message (ID, m, y) has not been forged, because it is only the true signer A that knows the signature function D(m)=m d mod N, i.e. the aforementioned d-component.

The one-way function f mentioned herein is a function with which it is easy to calculate f(x) from x but it is difficult to obtain x from f(x). The one-way function f can be set up using a traditional high-speed encryption system, for example, a DES cryptosystem (Data Encryption Standard, Federal Information Processing Standards Publication 46, 1977). With the use of high-speed components, the time for computing the function f would substantially be negligible. The one-way function recited hereinafter is such one that can calculated a value for an x of an arbitrary data-length.

The integer N for use in the RSA cryptosystem is usually decimal 308 digits (1024 bits) or so in length. The d-component of the signature key is also about 1024-bit long. It is well-known in the art that a square-and-multiply algorithm is used to calculate the signature function D. The computation of a 308-digit integer (including a modular N calculation) needs to be performed on an average of 1536 times, imposing a heavy computational load on the signer A for signature generation.

The square-and-multiply algorithm for computing x a mod N is such as described below.

Step S1: z=1

Step S2: The following steps S2-1 and S2-2 are repeated until a numerical subscript i becomes |a|−1 from 0 (Assume that |a| represents the number of bits of a).

Step S2-1: z′=z 2 mod N

Step S2-2: if a i =1, update z with z=z′x mod N (a i being a value, 0 or 1, of an i-th bit of a), and return to step S2-1.

If a i =0, return to step S2-1 without updating z.

Step S3: z is output.

(The square-and-multiply algorithm is described, for example, in Douglas R. Stinson, “CRYPTOGRAPHY, Theory and Practice,” CRC, Press p127, 1995

With a view to solving the problem of increased computational load on the signer apparatus for signature generation, there have been proposed interactive proofs (typical examples of which are a Fiat-Shamir and a Schnorr scheme) (A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,” Advances in Cryptology-Crypto 86, Springer-Verlag, pp. 186-194; C. P. Schnorr, “Efficient Identification and Signatures for smart Card,” Advances in Cryptology-EUROCRYPT7 89, springer-verlag, pp. 235-251; and M. Tompa and H. Woll, “Random Self-Reducibility and Zero Knowledge Interactive Proofs of Possession of Information,” Proceedings of the 28th IEEE Symposium on the Foundation of Computer Science, pp. 472-482 (1987)).

A description will be given of a digital signature by the Schnorr scheme.

A trusted center publishes two large primes p and q which bear a relation that q is a measure of p−1, and an integer gε(Z/pZ)*={1, 2, . . . , p−1} which has an order q.

Step S1: The signer A generates a random number sε(Z/qZ)={0, 1, 2, . . . q−1}, then computes public information I by

 I= g s mod p  (1)

and publishes a pair of identification information (ID) and information I.

The signer A goes through the following procedure to prove to the verifier B that the document or message m is true or genuine.

Step S2: The signer A generates a random number rε(Z/qZ), and computes

X= g r mod p  (2)

Step S3: The signer A computes an integer eε(Z/qZ) by the following equation using the one-way function f.

e=f (X, m )  (3)

Step S4: The signer A generates the signature y by

y=r+er mod q  (4)

and sends {ID, m, X, y} as a signed message to the verifier B.

Step S5: The verifier B computes the integer eε(Z/qZ) using the one-way function f by

e=f (X, m )  (5)

Step S6: The verifier B makes a check to see if the following equation holds true.

g y ≡XI e (mod p)  (6)

where I is public information corresponding to the identification information ID.

As is seen from the way of generating the signature y, g y ≡g r (g s ) e ≡XI e (mod p); hence, when Eq. (6) holds true, then the verifier B recognizes the document m as duly sent from the signer A.

In steps S2 through S4 described above, the signature of the signer could be forged if {ID, X, m, y} were sent as a signed message when the integer eε(Z/qZ), with which e=f(X, m) would hold, could be found by calculating Xε(Z/pZ)*, which would satisfy Eq. (6), after suitably choosing the integers eε(Z/qZ) and yε(Z/qZ). Since the probability with which the verification equation e=f(m, X) holds true is 1/q, however, the computational complexity involved in the forgery of signature depends on the value q. In the following description the number of bits of the prime p will be represented by |p|.

With the Schnorr scheme, the signature generation processing by the sender involves a multiplication (including modular p calculations) of|p|-bit integers on an average of 3/2|q| times, a single multiplication (including modular q calculations) of |q|-bit integers and a single addition (including modular q calculations) of the |q|-bit integers.

While in the above the signed message is {ID, X, m, y}, it is also possible to use e in place of X to provide {ID, e, m, y}. In this instance, a check is made to see if the relation e=f(X, m) holds, by calculating X by X=(g y )(I e ) −1 mod p. When |e|<|X|, the latter will make the message shorter.

Now, consider that a plurality of signers sign different documents on the superimposed-signature basis. A typical example of using the superimposed-signature scheme is as follows: For example, a certification authority CA guarantees the validity of the correspondence between the public identification information ID and public information I of the signer by a digital signature T=D CA (ID, I) affixed to a document (ID, I), and sends the signature T to the signer. The signer generates a signature D ID (m, T) for a pair of the document m and the signature T through the use of the secret information corresponding to the public information I, and sends the signature D ID (m, T) to the verifier, enabling him to verify the signature D ID (m, T) of the signer and the signature T of the certification authority CA.

In the superimposed-signature scheme it is important to suppress the amount of information to be processed by the signer for signature generation, suppress the amount of information to be processed by the verifier for signature verification and prevent an increase in the signature components.

With the digital signature scheme utilizing the RSA cryptosystem, respective signers i sign documents m i in a sequential order to provide information D L (m L , . . . , D 2 (f(m 2 , D 1 (f(m 1 )))) . . . ), thereby implementing the superimposed-signature function. In this instance, a large amount of calculation to be processed for signature generation gives rise to a problem.

With a direct application of the Schnorr scheme to the superimposed-signature scheme, it is considered possible to employ a method of adding information {ID i , X i , y i } to documents (m 1 , . . . , m i−1 , m i ) for each signer i. The X i -component is |p|-bit long and y i -component |q|-bit long. When L signers sign, information of (|p|+|q|)×L bits will ultimately added to a message, that is, L signers' identification information ID and documents (m 1 , . . . , m L ). In this case, too, an increase in the signature component (X-component, y-component) causes a problem.

Next, a description will be given of the multi-signature scheme in which a plurality of signers sign one document in a sequential order. With the digital signature scheme utilizing the RSA cryptosystem, it is possible to implement the multi-signature when the plurality of signers sign on a signature y of a message {ID, m, y} one after another (i.e. D L . . . D 1 ,(f(m))). This scheme also encounters the problem of the large amount of calculation to be processed for signature generation.

With a direct application of the Schnorr scheme to the multi-signature scheme, it is considered feasible to employ a method of adding information {ID, X, y} to a message m for each signer. The X-component is |p|-bit long and y-component |q|-bit long. When L signers sign the message in a sequential order, information of (|p|+|q|)×L bits will ultimately be added to a message (L signers' identification information ID and document m). In this instance, too, an increase in the signature component (X-component, y-component) produces a problem.

As regards the multi-signature scheme, there has been proposed a multi-signature scheme that permits reduction of each of the X- and y-components to one by accumulating the values of the X- and y-components for each signature generating process (K. Ohta and T. Okamoto, “A Digital Multi-Signature Scheme Based on the Fiat-Shamir Scheme,” Advances in Cryptology-ASIACRYPT'91, springer-Verlage, pp.139-148). Since this scheme involves two rounds of circulation of a message to signers, however, the multi-signature by L signers requires (2L−1) rounds of communication; hence, an increase in the number of communications gives rise to a problem.

With the multi-signature scheme that involves two rounds of circulation of a message to signers, it is impossible to realize the superimposed-signature scheme wherein the document to be signed differs for each signer. The reason for this is that since all documents, for example, m 1 and m 2 , must be determined in the first round of circulation, the signature to the documents (m 1 , m 2 ) cannot be generated after the generation of the signature to the document m 1 .

There has been proposed a scheme for modifying an ElGamal signature to the multi-signature (Atsushi Shimbo, “Multisignature Schemes Based on the ElGamal Scheme, The 1994 Symposium on Cryptography and Information Security SCIS94-2C). However, this literature is silent about the superimposed use of signature. With the proposed modified scheme, it is difficult to realize the Schnorr signature with one round of circulation, and the security of any of the proposed schemes was not strictly evaluated (see Conclusion on page 9 of the literature).

In a system utilizing the digital signature scheme, the situation occasionally arises where a plurality of signatures are gathered at one place and verified. For example, electronic money is returned to its issuing institution, wherein the validity of the electronic money is verified. In such an instance, the use of an interactive proof will permit a substantial reduction of the amount of calculation to be processed for signature generation. But the amount of calculation to be processed for signature verification may sometimes increase. For example, Schnorr scheme involves multiplication of |p|-bit integers (including modular p calculations) on an average of 3/2|q| times, but in the RSA scheme, since e=3 can be achieved without impairing the security, the number of multiplications of |N|-bit integers (including modular N calculations) is only two.

Now, a description will be given of en-bloc verification of a plurality of signatures in the above-mentioned digital signature scheme.

Since the digital signature scheme utilizing the RSA cryptosystem encounters the problem of the large amount of calculation to be processed for signature generation and uses the value N i of a different modulus for each signer, it is considered impossible to verify N i and N j at one time.

When the Schnorr scheme is used without any modifications, the signer i signs a message m i by adding thereto information {ID i , X i , y i }, where the X i -component is |p| bits in length and the y i -component |q| bits in length. In the case where L signers i each sign a different document m i (where 1≦i≦L) and L independent verification equations are used to verify the L signatures, the amount of calculation to be processed for signature verification is L rounds of verification.

In view of the above, there has been proposed a scheme that uses the following one verification equation by accumulating the value of the y-component.

g y ′=X 1 I 1 e L . . . X L I L e L (mod p)  (7)

where $$ y ′ = ∑ I = 1 L ⁢ y i ⁢   ⁢ and ⁢   ⁢ e i = f ⁡ ( X i , m i ) .

See, for example, Ohta and Okamoto, “Multi-Signature Schemes Using Fiat-Shamir Scheme,” Spring National Convention of the Institute of Electronics, Information and Communication Engineers of Japan (1989), A-277 (1989), and Harada and Tatebayashi, “An efficient method for computing a general monomial and its application,” Technical Report of Institute of Electronics, Information and Communication Engineers of Japan ISEC91-40 (1991).

With these schemes, each signer can forge other signers' signatures, giving rise to a problem in terms of security. This problem is discussed, for example, in Shimbo and Kawamura, “Consideration on computing vector addition chain and its application,” Technical Report of the Institute of Electronics, Information and Communication Engineers of Japan ISEC91-59 (1991).

In the above literature there are described the signature generation, the signature verification and attacks thereto in the situation where a plurality of signers sign one document; but even if each signer signs a different document, the use of the afore-mentioned verification equation allows the direct application of the attack to the multiple signature, producing a security problem.

SUMMARY OF THE INVENTION

A first object of the present invention is to provide a signature method and apparatus that permit en-bloc verification of a superimposed or multiple signature or individual signatures attached by a plurality of signers to the same or different documents, and a recording method with the signature method recorded thereon.

A second object of the present invention is to provide a secure superimposed-signature method and apparatus that prevent an increase in the amount of data for signature components in the case where a plurality of signers each sign a different document and it is desirable to certify the order of signing, and a recording medium with the superimposed-signature method recorded thereon.

A third object of the present invention is to provide a secure multi-signature method and apparatus that permit realization of a multiple signature by only one round of circulation of a message to a plurality of signers and prevent an increase in the amount of data for signature components, and a recording medium with the multi-signature method recorded thereon.

A fourth object of the present invention is to provide a secure signature method and apparatus that permits en-bloc and hence efficient verification of signatures when a plurality of signers each sign a different document, and a recording medium with the signature method recorded thereon.

A signature verification method according to a first aspect of the present invention comprises the steps:

wherein each signer i:

(a) generates a first random number s i as secret information, then generates information I i =(s i , β) with a function G 2 through the use of a public parameter β and the first random number s i , and publishes the information I i and two one-way functions f i and h i and identification information ID i used by the signer I as his public information {ID i , I i , f i , h i };

(b) generates a second random number r i , then generates information X i =Φ(r i , β) by setting the parameter β and the second random number r i in a function Φ, and sets information containing the information X i as X′ i ;

(c) generates

e i =f i (X′ i , m′ i )

d i =h i (X′ i , m′ i )

 with the one-way functions f i and h i through the use of document information m′ i containing a document m i to be signed and the information X′ i ; and

(d) generates, to information containing e i , d i , s i and r i , a signature

y i =Sg i (e i , d i , s i , r i , y′ i−1 )

 with a signature function Sg i generated using the parameter β and, letting information containing the identification information ID i be represented as identification information ID′ i , sends out {ID′ i , X′ i , m′ i , y i } individually or via the other signers to a verifier as the last destination, where in the case of sending individually, the y′ i−1 is set as an empty set and in the case of sending via the other signers, the y′ i−1 is set such that y′ i−1 =y i−1 ; and

wherein the verifier:

(e) computes, from the public information {ID i , I i , f i , h i }, information I i corresponding to the identification ID i contained in ID′ i in the received information {ID′ i , X′ i , m′ i , y i } and the one-way functions f i and h i , and calculates e i and d i using the one-way functions f i and h i and the received pieces of information X′ i and m′ i ;

(f) calculates the information X i contained in the information X′ i , and computes

Z′=V((X i *d i ), (I i *e i )| i =1 . . . , L)

 with a function V containing calculations (X i *d i ) of d i and X i and (I i *e i ) of e i and I i for i=1 . . . , L; and

(g) computes W=Γ(y i *β) with a function Γ containing a calculation (y i *β) of y i and β, then verifies the validity of the signatures by making a check to see if W=Z′, and if both values match each other, decides that the signatures are all valid.

According to a second aspect of the present invention, the value of the y-component, which is one of principal signature components, is accumulated for each signature generation processing to suppress an increase in the amount of data of the overall signature component, thereby setting up a superimposed-signature scheme applicable to the Fiat-Shamir and Schnorr schemes. While it is conventional that the exponential component in the verification processing is only the e-component used as an exponentiation component of I, the present invention newly introduces the d-component as a second exponentiation component for the exponentiation of X, and generates the e- and d-components taking into account the order of signers, thereby preventing an increase of the number of communications while at the same time providing security. According to a third aspect of the present invention, the value of the y-component, which is one of principal signature components, is accumulated for each signature generation processing to suppress an increase in the amount of data of the overall signature component, thereby setting up a multi-signature scheme applicable to the Fiat-Shamir and Schnorr schemes. While is conventional that the exponential component in the verification processing is only the e-component used as an exponentiation component of I, the present invention newly introduces the d-component as a second exponentiation component for the exponentiation of X, thereby preventing an increase of the number of communications while at the same time providing security.

According to a fourth aspect of the present invention, while it is conventional that the exponential component in the verification processing is only the e-component used as an exponentiation component of I, the d-component is newly introduced as a second exponentiation component for the exponentiation of X, thereby setting up a signature scheme that permits en-bloc signature verification and is applicable to the Fiat-Shamir and Schnorr schemes while at the same time provides security even if the value of the y-component, which is one of the principal signal components, is accumulated at the time of signature verification and only one verification equation is used.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a block diagram illustrating the configuration of a system to which the superimposed- or multi-signature scheme and the en-bloc signature verification therefor according to the present invention;

FIG. 1B is a block diagram illustrating the configuration of a system to which the individual-signature scheme and the en-bloc signature verification therefor according to the present invention;

FIG. 2 is a block diagram depicting that functional configuration of a center apparatus 100 in FIG. 1A or 1 B which is associated with processing for initial information setting;

FIG. 3 is a block diagram depicting that functional configuration of a signer i apparatus 30 i apparatus in FIG. 1A which is associated with a process for its system subscription;

FIG. 4 is a diagram depicting an interaction sequence of information with superimposed signatures;

FIG. 5 is a block diagram depicting that functional configuration of the signer i apparatus 30 i in FIG. 1A which is associated with processing for signature generation;

FIG. 6 is a block diagram depicting that functional configuration of a verifier apparatus 800 in FIG. 1A which is associated with processing for signature verification;

FIG. 7 is a diagram depicting an interaction sequence of information with multiple signatures;

FIG. 8 is a block diagram depicting that functional configuration of the signer i apparatus 30 i in FIG. 1A which is associated with processing for signature generation in the multi-signature scheme;

FIG. 9 is a block diagram depicting that functional configuration of the verifier apparatus 800 in FIG. 1A which is associated with processing for signature verification in the multi-signature scheme;

FIG. 10 is a block diagram depicting that functional configuration of the signer i apparatus 30 i in FIG. 1B which is associated with processing for its system subscription in the individual-signature scheme;

FIG. 11 is a diagram depicting an interaction sequence of information in the individual-signature scheme;

FIG. 12 is a block diagram depicting that functional configuration of the signer i apparatus 30 i in FIG. 1B which is associated with processing for signature generation;

FIG. 13 is a block diagram depicting that functional configuration of the verifier apparatus 800 in FIG. 1B which is associated with processing for signature verification;

FIG. 14 is a block diagram depicting that functional configuration of the center apparatus 100 in FIG. 1A which is associated with processing for initial information setting in the case of an elliptic curve cryptosystem;

FIG. 15 is a block diagram depicting that functional block of the signer i apparatus 30 i in the system of FIG. 1A which is associated with processing for its system subscription employing the elliptic curve cryptosystem;

FIG. 16 is a block diagram depicting that functional block of the signer i apparatus 30 i in the system of FIG. 1A which is associated with processing for signature generation in the superimposed-signature scheme employing the elliptic curve cryptosystem;

FIG. 17 is a block diagram depicting that functional block of the verifier apparatus 800 in the system of FIG. 1A which is associated with processing for signature verification in the superimposed-signature scheme employing the elliptic curve cryptosystem;

FIG. 18 is a block diagram illustrating the configuration of the signer i apparatus 30 i in a system of FIG. 1A for the multi-signature scheme employing an elliptic curve;

FIG. 19 is a block diagram illustrating the configuration of the verifier apparatus 800 in the system of FIG. 1A for the multi-signature scheme employing the elliptic curve;

FIG. 20 s a block diagram illustrating the configuration of the signer i apparatus 30 i in a system of FIG. 1B for the individual-signature scheme employing the elliptic curve;

FIG. 21 is a block diagram illustrating the configuration of the verifier apparatus 800 in the system of FIG. 1B for the individual-signature scheme employing the elliptic curve;

FIG. 22 is a table showing basic computation equations in the present invention in comparison with those in the RSA and Schnorr schemes to evaluate the present invention; and

FIG. 23 is a table showing the required computational load in the present invention in comparison with those in the RSA and Schnorr schemes.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The en-bloc signature system according to the present invention comprises a center apparatus (hereinafter referred to also as a center) 100 , L (where L is an integer equal to or greater than 2) signer apparatuses (hereinafter referred to also as signers) 30 1 , 30 2 , . . . , 30 L and a verifier apparatus (hereinafter referred to also as a verifier) 800 respectively connected to the center apparatus 100 via channels 400 of guaranteed security. The signer apparatuses 30 1 , 30 2 , . . . , 30 L are sequentially connected via channels 500 of not guaranteed security. The L-th signer apparatus 30 L is connected to the verifier apparatus 800 via a channel 700 of not guaranteed security. In this system the signer 30 1 attaches his signature to a document m 1 using a signature function Sg 1 , then sends the signed document as signature information y 1 =Sg 1 (m 1 ) to the next signer 30 2 , who in turn attaches his signature to a document m 2 and the received signature information y 1 using a signature function Sg 2 and sends them as signature information y 1 =Sg 2 (m 1 , y 1 ) to the signer 30 3 ; the same processing is repeated for each subsequent signer. The last signer 30 L attaches his signature to a document m L and his received signature information y L−1 using a signature function Sg L , and sends them as signature information y L =Sg L (m L , y L−1 ) to the verifier apparatus 800 . The signature processing like this is called a superimposed-signature scheme.

In this example, when only the first signer's document m 1 exists and the subsequent signers' documents m 2 , . . . , m L do not exist, the L signers sign the same document m 1 one after another—this is called a multi-signature scheme. At any rate, according to the present invention, the verifier 800 verifies the received signature information y L en bloc. When all the signatures are valid, their verification finishes with one round of processing, but when any one of the signatures is invalid, processing is performed to detect the unauthorized signer. For example, when the number of signers involved is 2 M , they are divided into first and second half groups each consisting of 2 M−1 signers, and signatures of 2 M−1 signers of either one of the groups are verified in a lump. If an invalid signature is found, the 2 M−2 of the first- or second-half group are verified en block; if no invalid signature is found, the signatures of the remaining 2 M−1 or 2 M−2 signers of the first- or second-half group are verified en bloc, followed by repeating the same processing. In this way, the unauthorized signature can be detected by M+1 rounds of verification processing.

In another system for carrying out the present invention, as shown in FIG. 1B , the center apparatus 100 is connected to the L signer apparatuses 30 1 , 30 2 , . . . , 30 L and the verifier apparatus 800 via the channels 400 of guaranteed security as in the case of FIG. 1 A. The signer apparatuses 30 1 , 30 2 , . . . , 30 L are each connected directly to the verifier apparatus 800 via the channel 500 of not guaranteed security. In this system each signer attaches his signature to the document m 1 using a signature function Sg i and sends the signed document as signature information y i =Sg i (m i ) to the verifier 800 , who verifies en bloc the received signature information y i =Sg i (m i ) where i=1, . . . , L.

A description will be given of the principles of the methods for conducting en-bloc signature verification on signatures of a plurality of signers in the above two systems according to the present invention.

Step S1: The center 100 publishes (sends to all the signers and the verifier) public parameter information containing a parameter q for each signer to generate the signature function Sg i and a parameter β=G 1 (q) generated with a function G 1 using the parameter q.

Step S2: Each signer i generates a first random number s i as secret information and keeps it in a memory. Further, the signer i generates information I i =G 2 (s i , β) with a function G 2 using the public parameter β and the first random number s i and registers the information I i , two one-way functions f i and h i for use by the signer i and his identification information ID i , as signer public information {ID i , I i , f i , h i } at the center 100 .

Step S3: The signer i generates a second random number r i , and sets the parameter β and the second random number r i in a function Φ, generating information X i =Φ(r i , β). Information containing the information X i is set as X′ i .

Step S4: The signer i uses document information m′ i containing a document m i to be signed and the information X′ i to generate with the two one-way functions f i and h i

e i =f i (X′ i , m′ i )  (8)

d i =h i (X′ i , m′ i )  (9)

Step S5: The signer i generates the following signature to information containing e i , d i , s i , r i and y′ i−1 with the signature function Sg i

y =Sg i ( e i , d i , s i , r i , y′ i−1 )  (10)

then sets information containing the identification information ID i as identification information ID′ i , and sends information {ID′ i , X′ i , m′ i , y i } individually or via the other signers to the verifier 800 as the last destination. In the case of sending individually to the verifier, y′ i−1 is set as an empty set, and in the case of sending via the other signers, y′ i−1 is set such that y′ i−1 =y i−1 .

Step S6: The verifier 800 calculates from the public information {ID i , I i , f i , h i } the information I i corresponding to the identification information ID i contained in ID′ i in the received information {ID′ i , X′ i , m′ i , y i } and the two one-way functions f i and h i , and calculates e i and d i using the one-way functions f i and h i of Eqs. (8) and (9) and the received pieces of information X′ i and m′ i . Further, the verifier 800 extracts X i from the received information X′ i , then performs a calculation d i *X i between d i and X i and a calculation e i *I i between e i and I i , and calculates the following value with respect to the results of the above calculations through the use of a function V.

Z′=V((X i *d i ), (I i *e i )| i =1, . . . , L)  (11)

The calculation indicated by the symbol * can be done by an exponentiation, multiplication, or the like.

Step S7: Moreover, the verifier 800 sets the calculation result y i *β between y i and β in a function Γ to compute W=Γ(y i *β), then conducts a signature verification by making a check to see if W=Z′, and if so, decides that the signatures are all valid.

In the case of conducting the en-bloc signature verification by the above-described method in the superimposed- or multi-signature system of FIG. 1A , set the information y′ i−1 =y i−1 and set the pieces of information X′ i , m′ i and ID′ i as follows:

X′ i =(X′ i−1 , X i )  (12)

m′ i =( m′ i−1 , m i )  (13)

ID′ i =(ID′ i , ID i−1 )  (14)

The signer i receives information {ID′ i−1 , X′ i−1 , m′ i−1 , y i−1 } from the preceding signer (i−1), then executes steps S3 through S5, and sends information {ID′ i , X′ i , m′ i , y i } to the next signer (i+1). the last signer executes steps S3 through S5 and sends information{ID′ L , X′ L , m′ L , y L } to the verifier 800 .

In the above, setting m′ 1 =m 1 =m and m 2 =m 3 = . . . =m L =“empty set,” that is, setting m′ 2 =m′ 3 = . . . =m′ L =m, the afore-mentioned multi-signature is obtained.

In the case of verifying signatures en bloc by following the procedures of the above-mentioned steps S1 through S7 in the individual-signature system of FIG. 1B , y′ i−1 =empty set, X′ i =X i , m′ i =m i and ID′ i =ID i are set, and the signer i sends the information {ID i , X i , m i , y i }, generated by steps S3, S4 and S5, directly to the verifier 800 .

According to the present invention, as described above in connection with step S4, each signer generates the two pieces of information e i and d i using the two one-way functions f i and h i , and generates the information y i containing these components, and the signature verification is conducted taking into account these two pieces of information e i and d i . Hence, the verification can be conducted based on one round of circulation of information after signing by the signers 1 through L; furthermore, security is guaranteed. In contrast thereto, since the signature verification method by Schnorr described previously derives the signature y from the e-component and the random numbers r and s calculated using one one-way function f as indicated by Eqs. (3) and (4), the direct application of this method to the superimposed signature scheme will increase the amount of information {ID i , X i , y i } that is sent from each signer to the next one, inevitably increasing the amount of calculation to be processed by the verifier for signature verification.

Next, a description will be given of a concrete method for carrying out the above-described basic en-bloc signature verification scheme in the systems of FIGS. 1A and 1B and examples of each signer apparatus and the verifier apparatus for use therein.

EMBODIMENT 1

This embodiment concerns the applications of the superimposed-signature and en-bloc signature verification based on the principles of the present invention to the Schnorr schemes in the system of FIG. 1 A. The idea of utilizing a second exponentiation component mentioned herein is also widely applicable to the Fiat-Shamir schemes and digital signature schemes utilizing interactive proofs including the Fiat-Shamir schemes. Examples of the interactive proofs including the Fiat-Shamir schemes or the like are described in the aforementioned literature by Tompa and woll.

At the time of its subscription to the system each signer apparatus 30 i (where i=1, . . . , L) generates secret information si and public information, and registers public information (ID, I) with a public information management file of the center apparatus 100 . The center apparatus 100 sends the public information to the signer apparatuses 30 1 , . . . , 30 L and the verifier 800 as required.

A description will be given first of initial information setting processing by the center apparatus 100 at the time of starting the system (see FIG. 2 ). This processing is intended to publish a unique value {p, q, g} of the system.

(1-A) Initial Information Setting Processing (by the center apparatus at the time of starting the system)

Step S1: The center apparatus 100 generates a prime p by a prime generator 110 and a prime q, which is a measure of p−1, by a divider 120 .

Step S2: the center apparatus 100 generates a primitive element α of (Z/pZ)* by a primitive element generator 130 and an integer g of an order q by the following calculation, using a modular exponentiator 140 .

g =α (p−1)/q mod p  (15)

The right-hand side of Eq. (15) represents the aforementioned function G 1 and g on the right-hand side corresponds to β.

Step S3: The public information {p, q, g} is sent to the signer apparatuses 30 1 , . . . , 30 L and the verifier apparatus 800 via the secure communication lines 400 .

(1-B) Processing by the Signer i Apparatus for its Subscription to the System

Next, a description will be given of processing that the signer i performs when it subscribes to the system (see FIG. 3 showing the signer i apparatus 30 i ). In the memory 33 of each signer apparatus 30 i is stored the public information {p, q, g} received from the center 100 .

Step S4: The signer i generates the random number s i by a random generator 31 and inputs it into a modular exponentiator 32 , together with the pieces of public information g and p, wherein the public information I i is computed by

I i =g s i mod p  (16)

The right-hand side of Eq. (16) represents the aforementioned function G 2 .

Step S5: The signer i apparatus sends the identification information ID i , the public information I, and the one-way functions f i and h i via the secure line 400 to the center apparatus 100 for registering them as public information {ID i , I i , f i , h i }. The signer i apparatus holds the random number s i as secret information in a memory 33 .

Other signer apparatuses also perform the same processing when they subscribe to the system. The center apparatus 100 provides the public information (ID i , I i , f i , h i ) (where i=1, 2, . . . , L) to the verifier apparatus 800 by some means, for example, in the form of a public file.

In the following description the signed version of the document m′ i , which is provided from the signer i apparatus, will be identified by {ID′ i , X′ i , m′ i , y i }. Now, a description will be given of the case where the signer (i−1) apparatus sends the message to be signed and the signer i apparatus attaches its signature to the message and sends the signed message to the next signer (i+1) apparatus. When L signers generate superimposed signature, it is sufficient only to increase i one by one from 1 to L and repeat the following procedure. In this case, the signer (L+1) apparatus is regarded as the verifier apparatus; ID′ 0 =empty set, X′ 0 =empty set and y 0 =0.

(1-C) Processing of the Signer i Apparatus for Signature Generation

FIG. 4 shows an interaction sequence of a message and FIG. 5 the functional configuration of the signer i apparatus. When receiving a message {ID′ i−1 , X′ i−1 , m′ i−1 , y i−1 } from the signer (i−1) apparatus, the signer i apparatus performs the signature generation processing described below.

Step S6: The signer i generates the random number r i by a random generator 310 and inputs it into amodular exponentiator 320 which calculates the function Φ, together with the pieces of public information {p, g} stored in the memory 33 , and wherein X i is calculated by

X i =Φ( r i , g )= g r i mod p  (17)

Step S7: The signer i uses a function f i calculator 330 and a function h i calculator 340 to calculate two pieces of information e i and d i by

  e i =f i (X′ i , m′ i )  (18)

d i =h i (X′ i , m′ i )  (19)

In this case, X′ i =(X′ i−1 , X i ) or m′ i =(m′ i−1 , m i ), where m i is the document to be signed by the signer i.

Step S8: The signer i inputs these pieces of information e i , d i and the random number r i into a modular exponentiator 350 and then into a modular adder 360 , together with the public information q and the secret information s i , generating the signature

y i =( y i−1 +d i r i +e i s i ) mod q  (20)

The right-hand side of Eq. (20) represents the signature function Sg i in Eq. (10).

Step S9: The signer i apparatus sets ID′ i =(ID′ i−1 , ID i ), and sends information {ID′ i , X′ i , m′ i , y i } to the next signer (i+1) apparatus.

(1-D) Process of the Verifier Apparatus 800 for Signature Verification

FIG. 6 depicts the functional configuration of the verifier apparatus 800 . When receiving the message {ID′ L , X′ L , m′ L , y L } from the signer L apparatus, the verifier apparatus 800 verifies the validity of each signature by the processing described below.

Step S10: The one-way functions f i and h i contained in the public information {ID i , I i , f i , h i } provided from the center apparatus 100 are set in one-way function calculators 810 and 820 , respectively. The first i components of the information X′ L are used to form X′ i and the first i components of the information m′ L are used to form m′ i . These pieces of information X′ i and m′ i thus obtained are set in the function f i calculator 810 and the function h i calculator 820 , wherein the components e i and d i (where 1≦i≦L) are calculated by

  e i =f i (X′ i , m′ i )= f i (X 1 , X 2 , . . . , X i , {m 1 , m 2 , . . . , m i })  (21)

d i =h i (X′ i , m′ i )= h i (X 1 , X 2 , . . . , X i , {m 1 , m 2 , . . . , m i })  (22)

Step S11: The information I i is derived from the public information {ID i , T i , f i , h i } (where i=1, 2, . . . , L) provided from the center apparatus 100 , and the information X i is also derived from the information X′ L . These pieces of information I i and X i are input into a multi-component modular exponentiator 830 , together with the components e i and d i and the public information p, wherein Z′ is calculated by

Z′=X 1 d 1 I 1 e 1 . . . X L d L I L e L mod p  (23)

The right-hand side of Eq. (23) corresponds to the function V((X i *d i ), (I i *e i )|i=1, . . . , L) referred to previously in connection with the principles of the present invention.

Step S12: The information y L and the pieces of public information p and g stored in the memory 88 are input into a modular exponentiator 840 to calculate W by

W= g y L mod p  (24)

Step S13: Z′ and W are input into a comparator 850 , wherein they are compared to make sure that

W=Z′  (25)

If they match each other, it is considered that the documents (m 1 , . . . , m L ) have been duly signed by the L authorized signer i apparatuses, respectively.

(1-E) Improved Square-and-Multiply Algorithm for Multiple Components

A description will be given below of an improved square-and-multiply algorithm for the calculation of Eq. (23) by the multi-component modular exponentiator 830 , such as a multi-component modular exponentiation as expressed by x a y b mod N.

Step 1: z=1

Step 2: The following processing is carried out for the suffix i=0, 1, . . . , |a|−1 (where |a| represents the number of bits of a.

Step 2-1 : z=z 2 mod N  (26)

Step 2—2: If ( a i , b i )=(1, 0), z=zx mod N (27)

If (a i , b i )=(0, 1), z=zy mod N  (28)

If ( a i , b i )=(1, 1), z=z ( xy ) mod N  (29)

where a i is the value, 0 or 1, of an i-th bit, ditto for b i .

Step 3: z is output.

By using the above algorithm with x=X i , a=d i , y=I i , b=e i and N=p, it is possible to obtain Z 1 Z 2 mod p (where Z 1 =X i d i I i e i mod p).

Taking into account the way of generating y L , $$ g y L ≡ g y L - 1 ⁡ ( g r L ) d L ⁢ ( g s L ) e L ≡ g y L - 1 ⁢ X L d L ⁢ I L e L ≡ ⋯ ≡ X 1 d 1 ⁢ I 1 e 1 ⁢ ⋯X L d L ⁢ I L e L ⁡ ( mod ⁢   ⁢ p ) ( 30 )

Hence, when the documents {m 1 , . . . , m L } pass the above said test by the comparator 850 , the verifier apparatus 800 accepts the documents as having been duly signed by the L authorized or valid signers.

A method for implementing the multi-component square-and-multiply algorithm with higher efficiency is described, for example, in D. E. Knuth, “The Art of Computer Programming, Vol. 2 , Seminumerical Algorithms,” Addison-Wesley Publishing, (1981), P. 456, Exercises 27 and 35.

According to the method proposed in the above literature, if s is set as the unit of storage for storing results of a precalculation in a table (s=2 in the above-described multi-component square-and-multiply algorithm), the number of multiplications (including modular p calculations) becomes as follows:

(2 s −s =1)[(2L+1)/ s ]+[(2L+1)/ s]|q |−1 +|q |−1

where [b/a] represents the minimum integer greater than b/a.

It is also possible to configure the system such that the signer i apparatus 30 i makes a check, prior to its signature generation, to see if its received message {ID′ i−1 , X′ i−1 , m′ i−1 , y i−1 } has been duly signed by the preceding signer i through (i−1) apparatuses and, if so, attaches its signature to the verified message. In this instance, the center 100 provides the public information (ID i , I i , f i , h i ) on i=1, . . . , (i−1) to the signer i in advance, and the verification may be conducted in the same fashion as in steps 10 through 13 in the verifier apparatus 800 . In this case, L in steps S10 through S13 is replaced with (i−1).

The signer apparatuses and the verifier apparatus usually perform the above-described processing by means of computers.

As referred to previously, the present invention is applicable not only to the Schnorr schemes but also to the Fiat-Shamir schemes and digital signature schemes utilizing the interactive proofs including the Fiat-Shamir schemes. Accordingly, the method of the present invention may be summarized in general as follows:

That is, the system parameters that are published are p for specifying the number of elements of the group, an element g of the group with which a group calculation starts, and a positive integer q such that when the element g is calculated q times, the calculation returns to the element g.

The signer i apparatus:

generates the random number s i by the random generator at the time of its subscription to the system, and inputs the random number s i and the pieces of public information g and p into a group calculator, wherein the element g is calculated s i times to compute the public information I i ; and

publishes the public information I i and the one-way functions f i and h i together with the identification information ID i but holds the random number s i as secret information.

In the signature generation processing, upon receiving from the signer (i−1) apparatus the signed message {ID′ i−1 , X′ i−1 , m′ i−1 , y i−1 } based on the message m i−1 , the signer i apparatus:

generates the random number r i using the random generator, then inputs it into the group calculator together with the pieces of public information p and g to calculate the element g r i times to obtain the information X i , and sets X′ i =(X′ i−1 , X i ) and m′ i =(m′ i , m i );

calculates the components e i and d i by

e i =f i (X′ i , m′ i )

d i =h i (X′ i , m′ i )

through the use of the function f i calculator and the function h i calculator; and

inputs the pieces of information e i , d i and r i into an exponential component multiplier and an exponential component adder together with the public information q and the secret information s i , wherein y i is calculated with the signature function Sg i by

y i =( y i−1 +d i r i +e i s i ) mod q

then sets ID′ i =(ID′ i−1 , ID i ), and send the message {ID′I i , X′ i , m′ i , y i } to the next signer (i+1) apparatus.

On the other hand, when receiving the message {ID′ L , X′ L , m′ L , y L } from the signer L apparatus, the verifier apparatus forms X′ i by the first i components of the information X′ L and m′ i by the first i components of the information m′ L , then inputs these pieces of information X′ i and m′ i into the function f i calculator and the function h i calculator, respectively, wherein

e i =f i (X′ i , m′ i )

d i =h i (X′ i , m′ i )

are calculated to obtain the components e, and d, for each i (where 1 ≦i≦L), then derives the corresponding public information I i from the ID i component in the information ID′ L and the information X i from the X′ L component, and inputs these pieces of information I i and X i and the above-mentioned components e i and d i and the public information p into the multi-component group calculator, wherein Z′ is obtained by sequentially calculating X i d i times and T i e i times for i's from 1 to L;

inputs y L and the pieces of public information p and g into the group calculator to calculate g y L times, thereby obtain W; and

inputs Z′ and W into the comparator to make a check to see if W≡Z′

and if they match each other, recognizes that the document {m 1 , . . . , m L } has been duly signed by L authorized signer i apparatuses.

In this typical scheme, too, each signer i apparatus, a user apparatus and a recording medium are similarly constructed.

While in the above ID′ i =(ID′ i−1 , ID i ), it is also possible to set that ID′ i =(ID′ i−1 , I i ). This will save the verifier apparatus the trouble of searching the identification information ID i for the public information

EMBODIMENT 2

In the superimposed-signature scheme and the en-bloc signature verification therefor described previously with reference to FIGS. 2 through 6 , when the document m 1 to be signed by the signature apparatus 30 1 is set at m and the documents m2, . . . , mL in the signer apparatuses 30 2 through 30 L are all made empty, the signers 1 through L will sign the document m on the multi-signature basis. An embodiment in this case will be described below. This embodiment will be described to use the Schnorr scheme.

The system configuration of this embodiment is the same as depicted in FIG. 1A , and the center apparatus 100 is also identical in construction with that shown in FIG. 2 . Moreover, the center apparatus 100 performs exactly the same processing as in the first embodiment, and generates public information {p, q, g} by the initial information setting processing and provides it to the signer apparatuses 30 1 through 30 L and the verifier apparatus 800 .

The processing for the signer i to subscribe to the system is also the same as in the case of the first embodiment, and the apparatus 30 1 therefor is also the same as that shown in FIG. 3 . The signer i generates the public information I i by this processing, and sends it and the one-way functions f i and h i and the identification information ID i via the secure communication channel 400 to the center apparatus 100 for registration therewith as the public information {ID i , I i , f i , h i }. At the same time, the signer i holds s i as secret information in the memory 33 .

Other signer apparatuses also perform the same processing as mentioned above when they subscribe to the system.

In this embodiment, the signed message of the document m, which is output from the signer i apparatus, is represented by {ID′ i , X′i, m, y i }. The signer (i−1) apparatus sends the message to be signed, and the signer i apparatus generates and attaches its signature to the message and sends the signed message to the next signer (i+1) apparatus. When L signers sequentially sign the message, i is increased one by one from 1 to L and the following procedure is repeated. In this embodiment, the signer (L+1) apparatus is regarded as a verifier apparatus. In this case, ID′ 0 =empty set, X′ 0 =empty set and y 0 =0.

(2-A) Processing of the Signer i Apparatus for Signature Generation

FIG. 7 depicts an interaction sequence of a message and FIG. 8 the functional configuration of the signer i apparatus. Upon receiving the message {ID′ i−1 , X′ i−1 , m, y i−1 } from the signer (i−1) apparatus, the signer i apparatus carries out the following signature generation processing. In the memory 33 are stored the public information {p, q, g} received from the center 100 , the secret random number s i and the identification infornation ID i .

Step S1: The signer i generates the random number r i by the random generator 310 and inputs it into the modular exponentiator 320 , together with the pieces of public information p and g, wherein X i is calculated using the function Φ by

X i =Φ( r i , g )= g r i mod p (31)

Step S2: The signer i uses the function f i calculator 330 and the function h i calculator 340 to calculate the two pieces of information e i and d i by

e i =f i (X′ i , m )  (32)

d i =h i (X′ i , m )  (33)

where X′ i =(X′ i−1 , X i ).

Step S3: The signer i inputs these pieces of information e i , d i , and r i into the modular exponentiator 350 and then into the modular adder 360 , together with the public information q and the secret information s i , thereby generating y i with the signature function Sg i as follows:

y i =Sg i ( e i , d i , s i , r i , y i−1 )=( y i−1 +d i r i +e i s i ) mod q (34)

Step S4: The signer i apparatus sets ID′ i =(ID′ i−1 , ID i ), and sends the message {ID′ i , X′ i , m, y i } to the next signer (i+1) apparatus.

(2-B) Process of the Verifier Apparatus 800 for Signature Verification

FIG. 9 depicts the functional configuration of the verifier apparatus 800 . When receiving the message {ID′ L , X′ L , m, y L } from the signer L apparatus, the verifier apparatus 800 verifies the validity of each signature by the processing described below.

Step S5: The verifier apparatus 800 forms X′i by the first i components of the information X′ L , and inputs it and the document m into the function f i calculator 810 and the function h i calculator 820 , wherein the components e i and d i (where 1≦i≦L) are calculated by

e i =f i (X′ i , m )= f i (X 1 , . . . , X i , m )  (35)

d i =h i (X′ i , m )= h i (X 1 , . . . , X i , m )  (36)

Step S6: The verifier apparatus 800 derives information I i from the ID i component in the information ID′ L and extracts the X i component in the information X′ L , and input these components into the multi-component modular exponentiator 830 , together with the components e i and d i and the public information p, wherein Z′ is calculated with the verification function V by $$ Z ′ =   ⁢ V ⁡ ( X i * d i ) , ( I i * e i ) | i = 1 , ⋯ ⁢   , L ) =   ⁢ X 1 d 1 ⁢ I 1 e 1 ⁢ ⋯ ⁢   ⁢ X L d L ⁢ I L e L ⁢   ⁢ mod ⁢   ⁢ p ( 37 )

Step S7: The verifier apparatus 800 inputs the information y L , together with the public information {p, g} stored in the memory 88 , into the modular exponentiator 840 to calculate W with the function Γ by

W=Γ( y L *g )= g y L mode p  (38)

Step S8: The verifier apparatus 800 inputs Z′ and W into a comparator 850 , wherein they are compared to see if

W=Z′

If they match each other, it is considered that the document m has been duly signed by the L authorized signer i apparatuses.

An improved square-and-multiply algorithm for calculating xayb mod N in the multi-component modular exponentiator may be the same as that described previously in connection with the first embodiment.

Taking into account the way of generating y L , $$ g y L ≡ g y L - 1 ⁡ ( g r L ) d L ⁢ ( g s L ) e L ≡ g y L - 1 ⁢ X L d L ⁢ I L e L ≡ ⋯ ≡ X 1 d 1 ⁢ I 1 e 1 ⁢ ⋯X L d L ⁢ I L e L ⁡ ( mod ⁢   ⁢ p )

Hence, when the document m passes the abovesaid test by the comparator 850 , the verifier apparatus 800 accepts the document m as having been duly signed by the L authorized signers.

It is also possible to configure the system such that the signer i apparatus 30 i makes a check, prior to its signature generation, to see if its received message {ID′ i−1 , X′ i−1 , m, y i−1 } has been duly signed by the preceding signer i through (i−1) apparatuses and, if so, attaches its signature to the verified message. In this instance, the verification may be conducted in the same fashion as in steps 10 through 13 in the verifier apparatus 800 . In this case, L in steps S10 through S13 is replaced with (i−1).

The signer apparatuses and the verifier apparatus usually perform the above-described processing by means of computers.

As referred to previously, this second embodiment is applicable not only to the Schnorr schemes but also to the Fiat-Shamir schemes and digital signature schemes utilizing the interactive proofs including the Fiat-Shamir schemes. Accordingly, the method of the present invention may be summarized in general as follows:

That is, the system parameters that are published are p for specifying the number of elements of the group, an element g of the group with which a group calculation starts, and a positive integer q such that when the element g is calculated q times, the calculation returns to the element g.

The signer i apparatus:

generates the random number s i by the random generator at the time of its subscription to the system, and inputs the random number s i and the pieces of public information g and p into the group calculator, wherein the element g is calculated s i times to compute the public information I i ; and

publishes the public information I i and the one-way functions f i and h i together with the identification information ID i but holds the random number s i as secret information.

In the signature generation processing, upon receiving from the signer (i−1) apparatus the signed message {ID′ i−1 , X′ i−1 , m, y i−1 } based on the message m, the signer i apparatus:

generates the random number r i by the random generator, then inputs it into the group calculator together with the pieces of public information p and g to calculate the information g r i times to obtain the information X i , and sets X′ i =(X′ i−1 , X i );

calculates the components e i and d i by

e i =f i (X′ i , m)

d i =h i (X′ i , m)

through the use of the function f i calculator and the function h i calculator; and

inputs the pieces of information e i , d i and r i into an exponential component multiplier and an exponential component adder together with the public information q and the secret information s i , wherein y i is calculated with the signature function Sg i by

y i =Sg i ( e i , d i , s i , r i , y i−1 )=( y i−1 +d i r i +e i s i ) mod q

then sets ID′ i =(ID′ i−1 , ID i ), and sends the message {ID′ i , X′ i , m, y i } to the next signer (i+1) apparatus.

On the other hand, when receiving the message {ID′ L , X′ L , m, y L } from the signer L apparatus, the verifier apparatus 800 forms X′ i by the first i components of the information X′ L , then inputs it into the function f i calculator and the function h i calculator, respectively, wherein

e i =f i (X′ i , m)

d i =h i (X′ i , m)

are calculated to obtain the components e, and di for each i (where 1≦i≦L), then derives the corresponding public information I i from the ID i component in the information ID′ L and the information X i from the X′ L component, and inputs these pieces of information I i and X i and the above-mentioned components e i and d i and the public information p into the multi-component group calculator, wherein Z′ is obtained by sequentially calculating X i d i times and T i e i times for i's from 1 to L;

inputs y L and the pieces of public information p and g into the group calculator to calculate g y L times, thereby obtain W; and

inputs Z′ and W into the comparator to make a check to see if W≡Z′

and if they match each other, recognizes that the document m has been duly signed by L authorized signer i apparatuses.

In this typical scheme, too, each signer i apparatus, a user apparatus and a recording medium are similarly constructed.

While in the above ID′ i =(ID′ i−1 , ID i ), it is also possible to set that ID′ i =(ID′ i−1 , I i ). This will save the verifier apparatus the trouble of searching the identification information ID i for the public information I i .

EMBODIMENT 3

Next, an embodiment in which, in the system of FIG. 1B , the signer apparatuses 30 i through 30 L individually attach their signatures to respective documents m 1 through m L and provide them to the verifier apparatus 800 for verifying the signed documents en bloc will be described in connection with the case of employing the Schnorr scheme. The idea of utilizing the second exponentiation component, described below, is also widely applicable to the Fiat-Shamir schemes and digital signature schemes that utilizes interactive proofs including them.

(3-A) Initial Information Setting Processing

The center apparatus 100 is common to that of FIG. 2 in the configuration for the initial information setting processing to publish the value {p, q, g} unique to the system, and the following processing therefor is also the same as in the case of FIG. 2 .

Step S1: The center apparatus 100 generates the prime p by the prime generator 110 and a prime q, which is a measure of p−1, by the divider 120 .

Step S2: The center apparatus 100 generates the primitive element α of (Z/pZ)* by the primitive element generator 130 and the integer g of the order q as the aforementioned parameter β by the following calculation, using the modular exponentiator 140 that computes the function G 1 described previously in connection with the principles of the present invention.

β= g =G 1 ( q )=α (p−1)/q mod p  (40)

Step S3: The public information {p, q, g} is sent to the signer apparatuses 30 1 , . . . , 30 L and the verifier apparatus 800 over the secure channels 400 .

(3-B) Processing by the Signer i Apparatus at the Time of Joining the System

Next, a description will be given, with reference to FIG. 10 , of processing that the signer i apparatus performs for its subscription to the system. It is noted that the memory 33 has stored therein the public information {p, q, g} received from the center 100 .

Step S4: The signer i generates the random number s i by the random generator 31 and inputs it and the pieces of public information g(=β) and p into the modular exponentiator 32 which calculates the function G 2 (si, β) referred to previously in connection with the principles of the invention. By this, the following calculation is conducted to obtain the public information I i .

I i =G 2 ( s i , g )= g s i mod p  (41)

Step S5: The signer i apparatus sends the identification information ID i , the public information I i and the one-way functions f i and h i via the secure channel 400 to the center apparatus 100 , wherein they are registered as public information. At the same time, the signer i apparatus holds the random number s i as secret information in the memory 33 .

Other signer apparatuses also perform the same processing when they subscribe to the system.

In the following description the signed document will be identified by {ID i , X i , m i , y i } on the assumption that the signer i apparatus signs the document m i .

(3-C) Processing of the Signer i Apparatus for Signature Generation

FIG. 11 shows interaction sequences of messages and FIG. 12 the functional configuration of the signer 30 i apparatus.

Step S6: The signer i apparatus 30 i generates the random number r i by the random generator 310 and inputs it into the modular exponentiator 320 which calculates the function Φ, together with the pieces of public information p and g; X i is calculated by

X i =Φ( r i , g )= g r i mod p  (42)

Step S7: The signer i apparatus 30 i uses the function f i calculator 330 and the function h i calculator 340 to calculate two pieces of information e i and d i by

e i =f i (X i , m i )  (43)

d i =h i (X i , m i )  (44)

Step S8: The signer i apparatus 30 i inputs these pieces of information e i , d i and r i into the modular exponentiator 350 and then into the modular adder 360 , together with the public information q and the secret information s i , calculating with the signature function Sg i by

  y i =Sg i ( e i , d i , s i , r i , q )=( d i r i +e i s i ) mod q  (45)

Step S9: The signer i apparatus 30 i sends the message {ID i , X i , m i , y i } to the verifier apparatus 800 .

(3-D) Process of the Verifier Apparatus 800 for Signature Verification

FIG. 13 depicts the functional configuration of the verifier apparatus 800 . In the memory 88 is stored the public information {p, q, g} received from the center. When receiving the L messages {ID i , X i , m i , y i } from the L signer apparatuses, the verifier apparatus 800 caries out the following processing to verify the respective signature en bloc.

Step S10: The verifier apparatus 800 inputs the information X i and the document m i into the function f i calculator 810 and the function h i calculator 820 , wherein the components e i and d i (where 1≦I≦L) are respectively calculated by

e i =f i (X i , m i ))

d i =h i (X i , m i )

Step S11: The verifier apparatus 800 receives from the center 100 the public information I i corresponding to the identification information ID i , and inputs the public information I i , together with the components ei and di generated as described above and the public information p, the multi-component modular exponentiator 830 , together with the components e i and d i and the public information p, wherein Z′ is calculated by

Z′=V(X i *d i ), (I i *e i )| i =1, . . . , L)=(X 1 d 1 I 1 e 1 . . . X L d L I L e L )mod p  (46)

Step S12: The verifier apparatus 800 inputs L pieces of information y i and the public information q into the modular adder 840 to calculate an accumulated value Y by $$ Y = ∑ i = 1 L ⁢ y i ⁢   ⁢ mod ⁢   ⁢ q ( 47 )

Then, the verifier apparatus 800 inputs Y and the public information {p, q} into the modular exponentiator 845 which calculates the function Γ(Y*g); to obtain W by

W=Γ(Y* g )= g Y mod p  (48)

Step S13: Z′ and W are input into a comparator 850 , wherein they are compared to make a check to see if

W=Z′

If they match each other, it is considered that the respective documents m i have been duly signed by the L authorized signer i apparatuses.

One method of the square-and-multiply algorithms for calculating x a y b mod N in the multi-component modular exponentiator 830 is the same as described previously.

Taking into account the way of generating the accumulated value Y, $$ g Y ≡ g y L - 1 ⁡ ( g r L ) d L ⁢ ( g s L ) e L = g y L - 1 ⁢ X L d L ⁢ I L e L ≡ ⋯ ≡ X 1 d 1 ⁢ ⋯ ⁢   ⁢ X L d L ⁢   ⁢ I 1 e 1 ⁢ ⋯ ⁢   ⁢ I L e L ⁡ ( mod ⁢   ⁢ p ) ( 49 )

Hence, when the documents m i pass the abovesaid test by the comparator 860 , the verifier apparatus 800 accepts the documents as having been duly signed by the L authorized or valid signers.

Now, a description will be given of processing in the case where W=Z′ does not hold in step S13. For example, when L=100, the messages {ID i , X i , m i , y i } are divided into two groups (L/2=50), and the processing of steps S9 through S13 are carried out for the messages of one of the two groups to make a check to see if a mismatch is found among them. If a mismatch is found, the messages of that group are subdivided into two; and if no mismatch is found, the messages of the other group are subdivided into two. Then the messages of one of the two subdivided groups are subjected to the processing of steps S9 to S13. By repeating this processing, the verifier apparatus is capable of locating which signer apparatus failed to duly sign the document concerned.

As referred to previously, the present invention is applicable not only to the Schnorr schemes but also to the Fiat-Shamir schemes and digital signature schemes utilizing the interactive proofs including the Fiat-Shamir schemes. Accordingly, the method of the present invention may be summarized in general as follows:

That is, the system parameters that are published are p for specifying the number of elements of the group, an element g of the group with which a group calculation starts, and a positive integer q such that when the element g is calculated q times, the calculation returns to the element g.

The signer i apparatus:

generates the random number s i by the random generator at the time of its subscription to the system, and inputs the random number s i and the pieces of public information g and p into a group calculator, wherein the element g is calculated s i times to compute the public information I i ; and

publishes the public information I i , the function f i and h i together with the identification information ID i but holds the random number s i as secret information.

In the signature generation processing, the signer i apparatus:

generates the random number r i using the random generator, then inputs it into the group calculator together with the pieces of public information p and g to calculate the element g r i times to obtain the information X i ;

calculates the components e i and d i by

e i =f i (X i , m i )

d i =h i (X i , m i )

through the use of the function f i calculator and the function h i calculator; and

inputs the pieces of information e i , d i and r i , together with the public information q and the secret information s i , into an exponential component multiplier and an exponential component adder to calculate y i by

y i =(d i r i +e i s i ) mod q

and thus obtains and sends the messages {ID i , X i , m i , y i } to the verifier apparatus.

When receiving the messages {ID i , X i , m i , y i } (where 1≦I≦L) from the L signer i apparatuses, the verifier apparatus inputs the information X i and the message m i into the function f i calculator and the function h i calculator, respectively, wherein

e i =f i (X i , m i )

d i =h i (X i , m i )

are calculated to obtain the components e i and d i for each i (where 1≦i≦L), then derives the public information I i from the identification application ID i , and inputs these pieces of information I i and X i and the above-mentioned components e i and d i and the public information p into the multi-component group calculator, wherein Z′ is obtained by sequentially calculating X i d i times and T i e i times for i's from 1 to L;

inputs L pieces of information y i and the public information p into the exponential component adder to calculate Y by $$ Y = ∑ i = 1 L ⁢ y i ⁢   ⁢ mod ⁢   ⁢ q

then input Y and the pieces of public information p and g into a group calculator, wherein g is calculated Y times to obtain W; and

inputs Z′ and W into the comparator to make a check to see if

W≡Z′

and if they match each other, recognizes that the L documents m i have been duly signed by L authorized signer i apparatuses.

The signer apparatus and the verifier apparatus each usually perform processing by a computer.

While Embodiments 1 through 3 have been described to use Zq as a commutative group of the finite field that is defined by the parameter q, an elliptic curve can be used as the commutative group—this solves the problem of increased amount of calculation to be processed by the signer for signature generation. The RSA cryptosystem bases its security on the difficulty of a factoring problem, whereas the elliptic curve cryptosystem bases its security on a discrete logarithm problem on an elliptic curve which is considered harder to solve than the factoring problem.

The following is the definition of the elliptic curve on the finite field GF(q) which is given using parameters a, bεGF(q)(4a 3 +27b 2 ≠0).

E a,b (GF( q ))={( x, y )εGF( q ) 2 |y 2 =x 3 +ax+b }520 {0}  (50)

where GF(q) is called a definition field of the elliptic curve E a,b (GF(q)) and 0 indicates an infinite point.

The addition on the elliptic curve in this instance is as follows:

When setting

P i =( x i , y i )εE a,b (GF( q ))

(where i=1, 2),

(x 3 , y 3 )=P 1 +P 2 can be written as follows:

(a): when P 1 ≠P 2 , setting λ=(y 2 −y 1 )/(x 2 −x 1 ),

x 3 =λ 2 −( x 1 +x 2 ),

y 3 =−y 1 +λ( x 1 −x 3 )  (51)

(b): when P 1 =P 2 , that is, when (x 3 , y 3 )=2P 1 , setting λ=(3x 1 2 +a)/(2y 1 ),

x 3 =λ 2 −2 x 1 ,

y 3 =−y 1 +λ( x 1 −x 3 )  (52)

The group computation on the elliptic curve is described, for example, in D. R. Stinson, “CRYPTOGRAPHY Theory and Practice,” CRC Press, pp. 187-190, 1995. In the following description, the addition of P 1 and P 2 on the elliptic curve E a,b (GF(q)) will be represented by (P 1 +P 2 ) over E a,b (GF(q)).

Since the presently known solution to the discrete logarithm problem on the elliptic curve is less efficient or more difficult than the solution to the factoring problem, it is possible to make the parameter q of the definition field of the elliptic curve small accordingly, thereby reducing the computational complexity involved. In concrete terms, it is said that the same security as in the case of |N|=1024 could be guaranteed by |q|=160, where |p| represents the number of bits of the prime p (see, for example, Bruce Schneicer, “APPLIED CRYPTOGRAPHY (Second Edition),” John Wiley & Sons, Inc., pp. 480-481, 1996).

The usual discrete logarithm problem is one that, when an integer gε(Z/pZ)*={1, 2, . . . , p−1}, where p is large prime and g has an order q, is provided as public information, a calculation is made of yεZ/qZ that satisfies g y ≡x(mod p) with respect to an integer xε(Z/pZ)*.

On the other hand, the discrete logarithm problem on the elliptic curve is a problem that, when the definition field GF(q), the parameters a and b of the elliptic curve and a point PεE a,b (GF(q)) of an order k on the elliptic curve are provided as public information, a calculation is made of yεZ/kZ which satisfies yP≡X over E a,b (GF(q)) with respect to a point XεE a,b (GF(q)) on the elliptic curve. The point P is called a base point. yP≡X over E a,b (GF(q)) indicates that the base point P, when added y times on the elliptic curve, will coincide with the point XεE a,b (GF(q)). The y-times addition of the base point P on the elliptic curve E a,b (GF(q)), in particular, is represented by yP over E a,b (GF(q)), which is used to define a group calculation on the elliptic curve.

With the use of the above-defined group calculation on the elliptic curve, a Diffie-Heilman key-sharing scheme, an ElGamal cryptosystem and an EGamal signature scheme, which utilize the difficulty of the usual discrete logarithm problem, could all be modified into schemes that utilize the difficulty of the discrete logarithm on the elliptic curve.

The Schnorr and the Fiat-Shamir schemes, which utilize the interactive proofs, could also be modified into schemes utilizing the difficulty of the discrete logarithm on the elliptic curve. A description will be given, for example, of a digital signature by the Schnorr scheme employing the elliptic curve.

A trusted center publishes the parameter q of the definition field GF(q), the parameter a,b,GF(q) of the elliptic curve, and the base point PεE a,b (GF)q)) of an order k on the elliptic curve.

Step 1: A signer A generates a random number sε(Z/kZ) and calculates public information I by

I= s P over E a,b (GF( q ))  (53)

and publishes a pair of identification information (ID) and information I.

The signer A goes through the following procedure to prove to a verifier B that a document m is genuine.

Step 2: The signer A generates a random number rε(Z/kZ) and calculates

X=rP over E a,b (GF( q ))  (54)

Step 3: The signer A calculates an integer eε(Z/kZ) using a one-way function f by

e=f (X, m )  (55)

Step 4: The signer A generates a signature y by

y =( r+es ) mod k  (56)

and sends {ID, m, X, y} as a signed message to the verifier B.

Step 5: The verifier B calculates the integer eε(Z/kZ) using the one-way function f by

e=f(X, m)

Step 6: The verifier B makes a check to see if

y P≡(X+ e I) over E a,b (GF( q ))  (57)

where I is public information corresponding to the identification information ID.

Taking into account the way of generating y,

y P≡( r+es P≡ r P+ e ( s P)≡(X+ e I) over E a,b (GF( q ))  (58)

Hence, when Eq. (57) is satisfied, the verifier B recognizes that the document m has been duly sent from the signer A.

In the above, the signature of the signer A could be forged if {ID, X, m, y} were sent as a signed message when the integer eε(Z/kZ), with which e=f(X, m) would hold, could be found by calculating XεE a,b (GF(q)), which would satisfy the verification equation, after suitably choosing the integers eε(Z/kZ) and yε(Z/kZ). Since the probability that the verification equation e=f(X, m) holds is 1/k, the computational complexity involved in the forgery of signature depends on the value k.

The elliptic Schnorr scheme involves the computation of Eqs. (51) and (52) for an n-fold point calculation (including modular q calculations) on the elliptic curve on an average of 3|q|/2 times, a single multiplication (including modular k calculations) of |k|-bit integers and a single addition (including modular k calculations) of the |k|-bit integers.

The above elliptic curve method will be described below as being applied to the first through third embodiment described previously.

The result of addition P3 (P1+P2) on the elliptic curve is calculated by Eqs. (51) and (52) using x- and y-coordinates. As is evident from Eq. (59) that defines the elliptic curve, once the x-coordinate is determined, the point on the elliptic curve is uniquely defined depending on whether the value of the y-coordinate is plus or minus. Since the x-coordinate is the value of the definition field GF(q), it must be noted here that the point on the elliptic curve can be represented by (|q|+1) bits.

EMBODIMENT 4

This embodiment corresponds to the first embodiment which performs the superimposed signature and the en-bloc verification thereof. A description will be given below of an embodiment in which the Schnorr scheme is applied to the superimposed signature and the en-bloc verification thereof that utilize the elliptic curve method. The idea of utilizing a second multiple component described below can be widely applied to the ElGamal signature schemes and the digital signature schemes utilizing the interactive proofs including them.

The system configuration to which this embodiment is applied is the same as shown in FIG. 1A ; hence, no description will be repeated.

(4-A) Initial Information Setting Processing

A description will be given below, with reference to FIG. 14 , of initial information setting processing at the time when the center 100 starts the system. This processing is intended to publish a value {q, a, b, P, k} unique to the system.

Step S1: The center apparatus 100 generates the prime q by the prime generator 110 and a, bεGF(q) by a parameter generator 120 .

Step S2: The center apparatus 100 generates a point PεE a,b (GF(q)) on the elliptic curve by a base point generator 130 and the order k of the base point by an order calculator 140 . The elliptic curve E a,b (GF(q)) corresponds to a value of the function G 1 (q) referred to previously in connection with the principles of the present invention, and the point P corresponds to the aforementioned β.

Step S3: The public information {q, a, b, P, k} is sent to the signers 30 1 , . . . , 30 L and the verifier 800 over the secure communication channels 400 and stored in the memories 33 and 88 .

The order calculator 140 can easily be implemented using, for example, the Schoof algorithm for calculating the order of the elliptic curve E a,b (GF(q)) (the number of points on the curve)(see, for example, R. Schoof, “Elliptic Curves Over Finite Fields and the Computation of Square Roots Mod p,” Math. Com., 44, pp.483-494, 1985).

(4-B) Processing by the Signer i for its Subscription to the System

Next, a description will be given, with reference to FIG. 15 , of processing that the signer i performs when it subscribes to the system.

Step S4: The signer i generates the random number s i by the random generator 31 and inputs it and the public information {q, a, b, P} into an n-fold point calculator 32 , wherein the public information I i is computed with the aforementioned function G 2 by

I i =G 2 ( s i , P)= s i P over E a,b (GF( q ))  (59)

Step S5: The signer i apparatus sends the identification information ID i , the public information I i and the one-way functions f i and h i over the secure channel 400 to the center 100 for registering them as public information {ID i , I i , f i , h i }. The signer i holds the random number s i as secret information in the memory 33 .

In the following description the signed version of the document m′ i , which is provided from the signer i apparatus, will be identified by {ID′ i , X′ i , m′ i , y i } The interaction sequence of the message is the same as in the case of FIG. 4 . Upon receiving a message {ID′ i−1 , X′ i−1 , m′ i−1 , y i−1 } from the signer (i−1), the signer i performs the signature generation processing described below. The configuration of the signer apparatus 30 i is depicted in FIG. 16 . Now, a description will be given of the case where the signer (i−1) sends the message to be signed and the signer i attaches his signature to the message and sends the signed message to the next signer (i+1). In the case of the superimposed signature by L signers, it is sufficient only to increase i one by one from i to L and repeat the following procedure. In this case, the signer (L+1) is regarded as the verifier; ID′ 0 =empty set, X′ 0 =empty set and y 0 =0.

(4-C) Processing of the Signer i for Signature Generation

Step S6: The signer i generates the random number r i by the random generator 310 and inputs it into an n-fold point calculator 320 which calculates the function Φ, together with the public information {q, a, b, P} read out of the memory 33 , and wherein X i is calculated by

X i =Φ( r i , P)= r i P over E a,b (GF(q))  (60)

Step S7: The signer i uses the function f i calculator 330 and the function h i calculator 340 to calculate e i and d i by

e i =f i (X′ i , m′ i )  (61)

d i =h i (X′ i , m′ i )  (62)

where

X′ i =(X′ i−1 , X i )  (63)

m′ i =( m′ i−1 , m i )  (64)

Step S8: The signer i inputs e i , d i and r i into the modular multiplier 350 and then into the modular adder 360 , together with the public information k and the secret information s i , generating the signature with the signature function Sg i by

y i =Sg i ( e i , d i , s i , r i , y i−1 )=( y i−1 +d i r i +e i s i ) mod k  (65)

Step S9: The signer i sets ID′ i =(ID′ i−1 , ID i ), and sends the message {ID′ i , X′ i , m′ i , y i } to the next signer (i+1).

(4-D) Processing of the Verifier 800 for Signature Verification

FIG. 17 depicts the functional configuration of the verifier apparatus 800 . When receiving the message {ID′ L , X′ L , m′ L , y L } from the signer L, the verifier verifies the validity of each signature by the processing described below.

Step S10: The first i components of the information X′ L are used to form X′ i and the first i components of the information m′ L are used to form m′ i . These pieces of information X′ i and m′ i thus obtained are input into the function f i calculator 810 and the function h i calculator 820 , wherein the components e i and d i (where 1≦i≦L) are calculated by

e i =f i (X′ i , m′ i )

d i =h i (X′ i , m′ i )

Step S11: The information I i is derived from the ID i component in the information ID′ L and the information X i is also derived from the information X′ L . These pieces of information I i and X i are input, together with the above-mentioned components e i and d i the public information {q, a, b, P} read out of the memory 88 , into an n-fold calculator 830 which calculates the function V, and wherein E is calculated by $$ Z ′ =   ⁢ V ⁡ ( ( X i * d i ) , ( I i * e i ) | i = 1 , ⋯ ⁢   , L ) =   ⁢ ( d 1 ⁢ X 1 + ⋯ + d L ⁢ X L + e 1 ⁢ L 1 + ⋯ ⁢   ⁢ e L ⁢ I L ) ⁢   ⁢ over ⁢   ⁢ E a , b ⁡ ( GF ⁡ ( q ) ) ( 66 )

where

e i =f i (X 1 , . . . , X i , {m 1 , . . . , m i })  (67)

d i =h i (X 1 , . . . , X i , {m 1 , . . . , m i })  (68)

(1≦i≦L)

Step S12: The information y L and the public information {q, a, b, P} are input into the n-fold point calculator 840 which calculates a function Γ(y L *P), thereby calculating W as follows:

 W=Γ( y L , P)= y L P over E a,b (GF( q ))  (69)

Step S13: Z′ and W are input into the comparator 850 , wherein they are compared to make sure that

W=Z′

If they match each other, it is considered that the documents (m i , . . . , m L ) have been duly signed by the L authorized signers i, respectively.

EMBODIMENT 5

This embodiment corresponds to the second embodiment which performs the multi-signature and the en-bloc verification thereof. A description will be given below of an embodiment in which the Schnorr scheme is applied to the multi-signature and the en-bloc verification thereof that utilize the elliptic curve method. In this embodiment, too, the idea of utilizing the second multiple component can be widely applied to the EHGamal signature schemes and the digital signature schemes utilizing the interactive proofs including them.

The system configuration to which this embodiment is applied is the same as shown in FIG. 1A , and the configuration of the center apparatus 100 is the same as shown in FIG. 14 .

(5-A) Initial Information Setting Processing

A description will be given below, with reference to FIG. 14 , of initial information setting processing at the time when the center apparatus 100 starts the system.

Step S1: The center apparatus 100 generates the prime q by the prime generator 110 and a, b, GF(q) by the parameter generator 120 .

Step S2: The center apparatus 100 generates the point Pε a,b (GF(q)) on the elliptic curve by the base point generator 130 which calculates a function G 1 (q) and the order k of the base point P by the order calculator 140 . The point P corresponds to the aforementioned parameter β.

Step S3: The public information {q, a, b, P, k} is sent to the signer apparatuses 30 1 , . . . , 30 L and the verifier apparatus 800 over the secure communication channels 400 and stored in their memories 33 and 88 .

As referred to previously, the order calculator 140 can easily be implemented using the Schoof algorithm which calculates the order of the elliptic curve E a,b (GF(q)) (the number of points on the curve).

(5-B) Processing by the Signer i for its Subscription to the System

Next, a description will be given, with reference to FIG. 18 , of processing that the signer i apparatus performs when it subscribes to the system.

Step S4: The signer i apparatus generates the random number s i by the random generator 310 and inputs it and the public information {q, a, b, P} into the n-fold point calculator 320 which calculates a function G 2 (s i , P), and wherein the public information I i is computed with by

I i =G 2 ( s i , P)= s i P over E a,b (GF( q ))  (70)

Step S5: each signer i apparatus sends the identification information ID i , the public information I i and the one-way functions f i and h i over the secure channel 400 to the center apparatus 100 for registering them as public information {ID i , I i , f i , h i }. The signer i apparatuses each hold the random number s i as secret information.

In the following description the signed version of the document m i , which is provided from the signer i apparatus, will be identified by {I′ i , X′ i , m i , y i }. The interaction sequence of the message is the same as in the case of FIG. 7 . Upon receiving a message {ID′ i−1 , X′ i−1 , m, y i−1 } from the signer (i−1) apparatus, the signer i apparatus performs the signature generation processing described below. The configuration of the signer apparatus 30 i is depicted in FIG. 18 . Now, a description will be given of the case where the signer (i−1) apparatus sends the message to be signed and the signer i apparatus attaches its signature to the message and sends the signed message to the next signer (i+1) apparatus. When L signers generate multi-signature, it is sufficient only to increase i one by one from 1 to L and repeat the following procedure. In this case, the signer (L+1) apparatus is regarded as the verifier apparatus; ID′ 0 =empty set, X′ 0 =empty set and y 0 =0.

(5-C) Processing of the Signer i Apparatus for Signature Generation

Step S6: The signer i apparatus generates the random number r i by the random generator 310 and inputs it into the n-fold point calculator 320 which calculates the function Φ, together with the public information {q, a, b, P} read out of the memory 33 , and wherein X i is calculated by

X i =Φ( r i , P)= r i P over E a,b (GF( q ))  (71)

Step S7: The signer i apparatus calculates e i and d i using the function f i calculator 330 and the function h i calculator 340 by

e i =f i (X′ i , m )  (72)

d i =h i (X′ i , m )  (73)

where X′ i =(X′ i−1 , X i ).

Step S8: The signer i apparatus inputs e i , d i , r i and y i−1 into the modular multiplier 350 and then into the modular adder 360 , together with the public information k and the secret information s i , generating the signature with the signature function Sg i by

y i =Sg i ( e i , d i , s i , r i , y i−1 )=( y i−1 +d i r i +e i s i ) mod k  (74)

Step S9: The signer i apparatus sets ID′ i =(ID′ i−1 , ID i ), and sends the message {ID′ i , X′ i , m, y i } to the next signer (i+1) apparatus.

(5-D) Processing of the Verifier 800 for Signature Verification

FIG. 19 depicts the functional configuration of the verifier apparatus 800 . When receiving the message {ID′ L , X′ L , m, y L } from the signer L apparatus, the verifier apparatus 800 verifies the validity of each signature by the processing described below.

Step S10: The first i components of the information X′ L are used to form X′ i , which is input, along with the message m i into the function f i calculator 810 and the function h i calculator 820 , wherein the components e i and d i (where 1≦I≦L) are calculated by

e i =f i (X′ i , m)

d i =h i (X′ i , m)

Step S11: The information I i is derived from the ID i component in the information ID′ L and the information X i is also derived from the information X′ L . These pieces of information I i and X i are input, together with the above-mentioned components e i and d i and the public information {q, a, b, P, k} read out of the memory 88 , into the n-fold calculator 830 which calculates the function V, and wherein Z′ is calculated by $$ Z ′ =   ⁢ V ⁡ ( ( X i * d i ) , ( I i * e i ) | i = 1 , ⋯ ⁢   , L ) =   ⁢ ( d 1 ⁢ X 1 + ⋯ + d L ⁢ X L + e 1 ⁢ L 1 + ⋯ ⁢   ⁢ e L ⁢ I L ) ⁢   ⁢ over ⁢   ⁢ E a , b ⁡ ( GF ⁡ ( q ) ) ( 75 )

where

e i =f i (X 1 , . . . , X i , m )  (76)

  d i =h i (X 1 , . . . , X i , m )  (77)

(1≦I≦L)

Step S12: The information y L and the public information {q, a, b, P, k} are input into the n-fold point calculator 840 which calculates the function Γ(y L *P), thereby calculating W as follows:

W=Γ( y L ,*P)= y L P over E a,b (GF( q ))  (78)

Step S13: Z′ and W are input into the comparator 850 , wherein they are compared to make sure that

W=Z′

If they match each other, it is considered that the document m has been duly signed by the L authorized signers i.

Each apparatus can be adapted to perform its functions by reading, interpreting and executing programs through the use of a computer. In each signer i apparatus ID′ i =(ID′ i−1 , ID i ) maybe replaced with ID′ i =(ID′ i−1 ,I i ). This requires storing the public information I i in storage means and hence relieves the verifier apparatus of the burden of locating the information I i in the identification information ID i .

EMBODIMENT 6

This embodiment corresponds to the third embodiment in which a plurality of signers individually attach their signatures to respective documents and the signatures are verified en bloc. This embodiment will also be described in connection with the case of applying the Schnorr scheme thereof that utilize the elliptic curve method. In this embodiment, too, the idea of utilizing the second multiple component can be widely applied to the ElGamal signature schemes and the digital signature schemes utilizing the interactive proofs including them.

The system configuration to which this embodiment is applied is the same as shown in FIG. 1B , and the configuration of the center apparatus 100 is the same as shown in FIG. 14 .

In the following description, the signed message will be represented by {ID i , X i , m i , y i } on the assumption that the signer i signs the document m i .

The interaction sequence of the message is the same as that depicted in FIG. 11 . FIG. 20 illustrates in block form the signer i.

(6-A) Processing of the Signer i for Signature Generation

Step S14: The signer i generates the random number r i by the random generator 310 and inputs it into the n-fold point calculator 320 which calculates the function Φ, together with the public information {q, a, b, P,k} read out of the memory 33 , and wherein X i is calculated by

X i =Φ( r i ,P)= r i P over E a,b (GF( q ))  (79)

Step S15: The signer i calculates e i and d i using the function f i calculator 330 and the function h i calculator 340 by

e i =f i (X i , m )  (80)

d i =f i (X i , m )  (81)

Step S16: The signer i inputs e i , d i , and r i into the modular multiplier 350 and then into the modular adder 360 , together with the public information k and the secret information s i , generating the signature with the signature function Sg i by

y i =Sg i ( e i , d i , s i , r i , k )=( d i r i +e i s i ) mod k  (82)

Step S17: The signer i sends the message {ID i , X i , m, y i } to the verifier 800 .

(6-B) Processing of the Verifier 800 for Signature Verification

FIG. 21 depicts in block form the verifier 800 . When receiving L messages {I i , X i , m i , y i } from the L signers, the verifier 800 verifies the validity of each signature by the processing described below.

Step S18: The verifier 800 inputs the information X i and the message m i into the function f i calculator 810 and the function h i calculator 820 , wherein the components e i and d i (where 1≦I≦L) are calculated by

e i =f i (X i , m i )

d i =f i (X i , m i )

Step S19: The verifier 800 derives the information I i from the ID i component and the information X i from the information X′ L , and inputs them, along with the above-mentioned components e i and d i and the public information {q, a, b, P, k} read out of the memory 88 , into the n-fold calculator 830 which calculates the function V, and wherein Z′ is calculated by

Z′=V(X i *d i ), (I i *e i )| i =1, . . . , L)=( d 1 + . . . +d L X L +e 1 L 1 + . . . +e L I L ) over E a,b (GF( q ))  (83)

where

e i =f i (X i , . . . , X i , {m 1 , . . . , m i })  (84)

d i =h i (X 1 , . . . , X i , {m 1 , . . . , m i })  (85)

(1≦I≦L)

Step S20: The verifier 800 inputs the L pieces of information y i and the public information k into the modular adder 840 , wherein an accumulated value Y is calculated by $$ Y = ∑ i = 1 L ⁢ y i ⁢   ⁢ mod ⁢   ⁢ k ( 86 )

and inputs it into the n-fold point calculator 845 which calculates the function Γ(Y*P), thereby calculating W as follows:

 W=Γ(Y*P)=YP over E a,b (GF( q ))  (87)

Step S2 1: Z′ and W are input into the comparator 850 , wherein they are compared to make sure that

W=Z′

If they match each other, it is considered that the L documents m i have each been duly signed by the L authorized signer i.

Taking into account the way of generating the accumulated value Y, $$ YP ≡ ( y L - 1 ⁢ P ) + { d L ⁡ ( r L ⁢ P ) } + { e L ⁡ ( s L ⁢ P ) } ≡ y L ⁢ P + d L ⁢ X L + e L ⁢ I L ≡ ⋯ ≡ ( d 1 ⁢ X 1 + ⋯ + d L ⁢ X L + e 1 ⁢ I 1 + ⋯ + e L ⁢ I L ) ⁢   ⁢ over ⁢   ⁢ E a , b ⁡ ( GF ⁡ ( q ) ) ( 88 )

Hence, when the above said comparison test by the comparator 850 passes, the verifier 800 accepts the documents m 1 (i 1 , . . ., L) as having been duly signed by the L authorized signers, respectively.

EVALUATION OF EMBODIMENTS

Now, an evaluation will be made of the present invention in comparison with the RSA and the Schnorr schemes in terms of the computational complexity of basic operations involved in the signing and verification procedures and the redundancy of messages used and in other terms. The system to be evaluated is one that performs the multi-signature and the verification thereof; accordingly, the evaluation will be made of he second and fifth embodiment of the present invention.

The table of FIG. 22 shows, in comparison, basic calculations for the multi-signature and its verification in the RSA scheme, the Schnorr scheme and the second and fifth embodiments of the invention. The table of FIG. 23 shows the number of calculations involved in the signing and verification procedures in the respective schemes when the equations in FIG. 22 are used. FIG. 23 also shows the redundancy of messages, the number of communications necessary for verifying all signatures and the number of rounds of circulation of each message.

(1) Calculation Amount of Signer Apparatus

In the operations for signing use depicted in the table of FIG. 22 , the calculations of the one-way functions f, f i and h i are faster than the multiplication and the n-fold point calculation; therefore, the amount of calculation of each signer apparatus will be compared in terms of the number of modular N multiplications (including modular N or p calculations) and the number of calculations conducted for the n-fold point on the elliptic curve.

Usually, |N|=1024 and |q|=160 are recommended. In this case, since the leading terms each correspond to the first calculation, the processing speed in the second and fifth embodiments is more than five times higher than in the case of using the RSA cryptosystem as shown in FIG. 23 . It has been reported that the computation of the n-fold point on the elliptic curve as in the fifth embodiment is about 10 times faster than in the signing procedure using the RSA cryptosystem (see, for example, http://WW/certicom.com/html/eccqa.html.)

(2) Calculation Amount of Verifier Apparatus

In the calculations for signature verification shown in FIG. 22 , the calculations of the one-way functions f, f i and h i are faster than the multiplication and the calculation of the n-fold point on the elliptic curve; therefore, the processing amount of the verifier apparatus will be compared in terms of the number of exponentiations (including modular N or p calculations) and the number of calculations conducted for the n-fold point on the elliptic curve. As depicted in FIG. 23 , the computational load for the signature verification by the present invention is the same as in the case of using the RSA cryptosystem but substantially one-half that in the case of using he Scinorr scheme.

(3) Redundancy of Message

In any multi-signature schemes the ID information is added to the message for each signature (the ID′ L components) with a view to making the signer clear. In the following, the redundancy of the message {ID′, X, m, y} is evaluated using the number of bits of each of the X and y components. The signature component (y component) utilizing the RSA cryptosystem is represented by D L . . . D 1 (f(m)). The results are shown in FIG. 23 .

With the method of the second and fifth embodiment according to the present invention, L×|X|+|y| bits. The application of the fifth embodiment provides |p|=|q|=|e|=160 and |X|=|q|+1; hence, 161L+160 bits. This indicates that when 2≦L≦6, the method of the fifth embodiment is advantageous.

(4) Number of Communications and Number of Rounds of Circulation

As referred to previously in connection with the background of the present invention, the multi-signature and verification procedure by the Schnorr scheme involves two rounds of circulation of the message to the signers. On this account, the required number of communications is also about twice larger than the other schemes.

As regards the basis of security of the signature and en-bloc verification schemes according to the present invention, difficulty of the discrete logarithm problem by the modulo p precludes any possibility of success in calculating the secret information s i from the public information {p, q, g, I i }. That each signer apparatus cannot forge the multiple signature including the signature of any other signer apparatus can be guaranteed by combining the methods of the present invention with the “Exact Security” property under the random oracle model that is the results of the theoretical study on the computational complexity.

As for the “Exact Security” property, see, for example, M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” Proc. of the First ACM Conference on Computer and Communications Security, pp.62-73, and K. Ohta and T. Okamoto, “The Exact Security of Multi-Signature Schemes,” Technical Report of IEICE ISEC97-27.

EFFECT OF THE INVENTION

As described above, according to the present invention, the signature generation processing can be performed more than five times faster than in the case of using the RSA scheme. The signature verification processing is common in speed to the case of using the RSA scheme but can be made twice faster than in the case of repeatedly using the Schnorr scheme. When L is 6 or smaller, the redundancy of the message in the present invention is the same as in the case of repeatedly using the Schnorr scheme, and is more advantageous than in the case of using the RSA scheme.

It will be apparent that many modifications and variations may be effected without departing from the scope of the novel concepts of the present invention.

Claims

1. A method whereby a verifier verifies en bloc digital signatures attached by a series of signers i=1, 2, . . . , L, said L being an integer equal to or greater than 2, to an electronified document m′i, where information containing a parameter q for each of said signer i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 by the use of said parameter q being published in advance, said method comprising the steps:wherein said each signer i: (a) generates a first random number si as secret information, then generates information Ii=G2(si, β) with a function G2 through the use of a public parameter β and said first random number si, and publishes said information Ii and two one-way functions fi and hi and identification information IDi used by the signer i as his public information {IDi, Ii, fi, hi}; (b) generates a second random number ri, then generates information Xi=Φ(ri, β) by setting said parameter β and said second random number ri in a function Φ, and sets information containing the information Xi as X′i; (c) generates ei=fi(X′i, m′i) di=hi(X′i, m′i) with said one-way functions fi and hi through the use of document information m′i containing a document mi to be signed and said information X′i; and (d) generates, for information containing ei, di, si and ri, a signature yi=Sgi(ei, di, si, ri, yi−1) with a signature function Sgi generated using said parameter q and, sending information {ID′i, X′i, m′i, yi}, containing said identification information IDi as identification information ID′i, to the next signer (i+1) in the series of signers i=1 to L, the last signer L sending the information {ID′L, X′L, m′L, yL} to a verifier as a final destination: and wherein said verifier: (e) computes, from said public information {IDi, Ii, fi, hi}, information Ii corresponding to said identification IDi contained in said information ID′i in the received information {ID′L, X′L, m′L, yL} and said one-way functions fi and hi, and calculates ei and di using said one-way functions fi and hi and X′i and m′i in said received pieces of information X′L and m′L; (f) calculates said information Xi contained in said information X′i, and computes Z′=V((Xi*di), (Ii*ei)|i=1, . . . , L)  with a function V containing calculations (Xi*di) of said di and said Xi and (Ii*ei) of said ei and said Ii for i=1, . . . , L; and (g) computes W=Γ(yL*β) with a function Γ containing a calculation (yL*β) of said yL and said β, then makes a check to see if W=Z′, and if both values match each other, decides that said signatures are all valid.

2. The method of claim 1, wherein:X′i=(X′i−1, Xi), X′0=empty set m′i=(m′i−1, mi), m′0=empty set ID′i=(ID′i−1, IDi), ID′0=empty set y0=0; said signer i receives {ID′i−1, X′i−1, m′i−1, yi−1} from a signer (i−1), and executes said steps (b) through (d), sending information {ID′i, X′i, m′i, yi} to a signer (i+1); and the last signer L executes said steps (b) through (d) on information received from a signer (L−1), generating and sending signature information {ID′L, X′L, m′L, yL} to said verifier.

3. The method of claim 2, wherein: m′1=m1=m; m2=m3 . . . =mL=empty message; said signer i receives information {ID′i−1, X′i−1, m, yi−1} from said signer (i−1), and executes said steps (b) through (d), sending information {ID′i, X′i, m, yi} to said signer (i+1); and said last signer L executes said steps (b) through (d) on the information received from said signer (i−1), generating and sending signature information {ID′L, X′L, m, yL} to said verifier.

4. The method of claim 2 or 3, wherein said ID′i=(ID′i−1, IDi) is replaced with ID′i=(ID′i−1, Ii).

5. The method of claim 2 or 3, wherein: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;the calculation of said information Ii using said function G2(si, g) in said step (a) is conducted by si-times group-calculation of said parameter g using said parameter p; the calculation of said information Xi using said function Φ in said step (b) is conducted by ri-times group-calculations of said parameter g using said parameter p; said step (f) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every signer i from 1 to L; and said step (g) is a step of calculating W by conducting y′L-times calculations of said parameter g using said received yL and said pieces of public information p and q.

6. The method of claim 5, which further comprises a step of pregenerating said p and q that are primes bearing the relationship of 1=p mod q, and generating a primitive element α of (Z/pZ)*, and wherein:said function G1 for calculating said parameter β=g is given by the following equation: g=G1(q)=α(p−1)/qmod p; said function G2(si, g) in said step (a) is given by the following equation: Ii=G2(si, g)=gsi mod p said function Φ in said step (b) is given by the following equation: Xi=Φ(ri, g)=gri mod p; said signature function Sgi in said step (d) is given by the following equation using said ei, di, ri, si, q and yi−1: yi=Sgi(ei, di, si, ri, yi−1)=(yi−1+diri+eisi) mod q; said function V in said step (f) is given by the following equation: Z′=V⁡((X1*d1),(Ii*ei)|i=1,…⁢ ,L)⁢ ⁢X1d1⁢ ⁢I1eL⁢ ⁢⋯⁢ ⁢XLdL⁢ ⁢ILeLmod⁢ ⁢p; ⁢andsaid function Γ in said step (g) is given by the following equation: W=Γ(yL*g)=gyL mod p.

7. The method of claim 2 or 3, wherein said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:the calculation of said information Ii using said function G2(si, P) in said step (a) is conducted by si-times group-calculations of said parameter p; the calculation of said information Xi using said function Φ in said step (b) is conducted by ri-times group-calculations of said parameter P; said step (f) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every signer i from 1 to L; and said step (g) is a step of calculating W by yL-times calculations of said parameter P on said elliptic curve using said received information yL and said public information p.

8. The method of claim 7, wherein:said function G1 for calculating said parameter β=P is given by the following equation: G1(q)=PεEa,b(GF(q)); said function G2(si, P) in said step (a) is given by the following equation: Ii=G2(si, P)=siP over Ea,b(GF(q)); said function Φ in said step (b) is given by the following equation: Xi=Φ(ri, P)=riP over Ea,b(GF(q)); said signature function Sgi in said step (d) is given by the following equation using said ei, di, ei, si and yi−1: yi=Sgi(ei, di, si, ri, yi−1)=(yi−1+diri+eisi) mod k; said function V in said step (f) is given by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,⋯⁢ ,L)= ⁢(d1⁢X1+⋯+dL⁢XL+e1⁢I1+⋯+eL⁢IL)⁢ ⁢over⁢ ⁢Ea,b⁡(GF⁡(q));andsaid function Γ in said step (g) is given by the following equation: W=Γ(yL*P)=yLP over Ea,b(GF(q)).

9. A method whereby a verifier verifies en bloc digital signatures attached by signers i to an electronified document m′i, where i=1, 2, . . . , L, said L being an integer equal to or greater than 2, information containing a parameter q for each of said signer i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 by the use of said parameter q being published in advance, said method comprising the steps:wherein said each signer i: (a) generates a first random number si as secret information, then generates information Ii=G2(si, β) with a function G2 through the use of a public parameter β and said first random number si, and publishes said information Ii and two one-way functions fi and hi and identification information IDi used by the signer i as his public information {IDi, Ii, fi, hi}; (b) generates a second random number ri, then generates information Xi=Φ(ri, β)by setting said parameter β and said second random number ri in a function Φ, and sets information containing the information Xi as X′i; (c) generates ei=fi(X′i, m′i) di=hi(X′i, m′i) with said one-way functions fi and hi through the use of document information m′i containing a document mi to be signed and said information X′i; and (d) generates, for information containing ei, di, si and ri, a signature yi=Sgi(ei, di, si, ri) with a signature function Sgi generated using said parameter q and, sending out information {ID′i, X′i, m′i, yi}, containing said identification information IDi as identification information ID′i to a verifier as a final destination: and wherein said verifier: (e) computes, from said public information {IDi, Ii, fi, hi}, information Ii corresponding to said identification IDi contained in said information ID′i in the received information {ID′i, X′i, m′i, yi} and said one-way functions fi and hi, and calculates ei and di using said one-way functions fi and hi and said received pieces of information X′i and m′i; (f) calculates said information Xi contained in said information X′i, and computes Z′=V((Xi*di), (Ii*ei)|i=1, . . . , L)  with a function V containing calculations (Xi*di) of said di and said Xi and (Ii*ei) of said ei and said Ii for i=1, . . . , L; and (g) computes W=Γ(Y*β) with a function Γ containing a calculation (Y*β) using β and an accumulated value Y of y1 to yL, then makes a check to see if W=Z′, and if both values match each other, decides that said signatures are all valid.

10. The method of claim 9, wherein: X′i=Xi, m′i=mi, and ID′i=IDi; and said each signer executes said steps (b) through (d), generating and sending information {IDi, Xi, mi, yi} individually to said verifier.

11. The method of claim 10, wherein: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;the calculation of said information Ii using said function G2(si, g) in said step (a) is conducted by si-times group-calculation of said parameter g using said parameter p; the calculation of said information Xi using said function F in said step (b) is conducted by ri-times group-calculation of said parameter g using said parameter p; said step (f) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every signer i from 1 to L; and said step (g) is a step of calculating an accumulated value Y using L received pieces of information yi, and generating, as said W, a value (g*Y) obtained by operating, Y times, said parameter g using said Y and said pieces of public information p and q.

12. The method of claim 11, which further comprises a step of pregenerating said p and q that are primes bearing the relationship of 1=p mod q, and generating a primitive element α of (Z/pZ)*, and wherein:said function G1 for calculating said parameter β=g is given by the following equation: g=G1(q)=α(p−1)/qmod p; said function G2(si, g) in said step (a) is given by the following equation:  Ii=G2(si, g)=gsi mod psaid function Φ in said step (b) is given by the following equation: Xi=Φ(ri, g)=gri mod p; said signature function Sgi in said step (d) is given by the following equation using said ei, di, ri, si and q: yi=Sgi(ei, di, si, ri)=(diri+eisi) mod q; said function V in said step (f) is given by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,…⁢ ,L)= ⁢X1d1⁢I1e1⁢⋯⁢ ⁢XLdL⁢ILeL⁢ ⁢mod⁢ ⁢p;andin said step (g), said accumulated value Y is calculated by Y=∑i=1L⁢yi⁢ ⁢mod⁢ ⁢qand said function Γ in said step (g) is given by the following equation: W=Γ(Y*g)=gYmod p.

13. The method of claim 10, wherein said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β, a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:the calculation of said information Ii using said function G2(si, P) in said step (a) is conducted by si-times group-calculations of said parameter p; the calculation of said information Xi using said function Φ in said step (b) is conducted by ri-times group-calculations of said parameter P; said step (f) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every signer i from 1 to L; and said step (g) is a step of calculating W by Y-times calculations of said parameter P on said elliptic curve using said received information yL and said public information p.

14. The method of claim 13, wherein:said function G1 for calculating said parameter β=P is given by the following equation: G1(q)=PεEa,b(GF(q)); said function G2(si, P) in said step (a) is given by the following equation:  Ii=G2(si, P)=siP over Ea,b(GF(q));said function Φ in said step (b) is given by the following equation: Xi=Φ(ri, P)=riP over Ea,b(GF(q)); said signature function Sgi in said step (d) is given by the following equation using said ei, di, ri and si: yi=Sgi(ei, di, si, ri)=(diri+eisi) mod k; said function V in said step (f) is given by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,⋯⁢ ,L)= ⁢(d1⁢X1+⋯+dL⁢XL+e1⁢I1+⋯+eL⁢IL)⁢ ⁢over⁢ ⁢Ea,b⁡(GF⁡(q));andsaid function Γ in said step (g) is given by the following equation: W=Γ(Y*P)=YP over Ea,b(GF(q)) where Y=∑i=1L⁢yi⁢ ⁢mod⁢ ⁢k.

15. A signer apparatus for a system in which each of a series of signers i=1, . . . , L, L being an integer equal to or greater than 2, attaches a digital signature to an electronified document m′i and a verifier verifies said digital signatures en bloc, wherein said, information containing a parameter q for each of said signers i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 by the use of said parameter q are published in advance, said signer apparatus comprising:storage means for storing said public parameters q and β of said system, identification information IDi of said each signer i and a first random number si as his secret information; function G2 means for generating information Ii=G2(si, β) with a function G2 through the use of said public parameter β and said first random number si, said information Ii being published as signer public information {IDi, Ii, fi, hi} together with a pair of one-way functions fi and hi and identification information IDi that said each signer i uses; random generator means for generating a second random number ri; function Φ means for setting said parameter β and said second random number ri in a function Φ to generate information Xi=Φ(ri, β); a pair of one-way function means for generating ei=fi(X′i, m′i) di=hi(X′i, m′i) with said pair of one-way functions fi and hi through the use of document information m′i containing a document in to be signed and information X′i containing said information Xi; signature function means for generating, for information containing ei, di, si, ri and yi−1, a signature yi=Sgi(ei, di, si, ri, yi−1) with a signature function Sgi generated using said parameter q; and means for sending information {ID′i, X′i, m′i, yi}, as information containing said identification information IDi, to the next signer (i+1) in a series of signers 1 to L, the last signer L sending the information {ID′L, X′L, m′L, yL} to a verifier as a final destination.

16. The signer apparatus of claim 15, whereinX′i=(X′i−1, Xi), X′0=empty set m′i=(m′i−1, mi), m′0=empty set ID′i=(ID′i−1, IDi), ID′0=empty set y0=0; upon receiving {ID′i−1, X′i−1, m′i−1, yi−1} from a signer (i−1), said sending means sends out information {ID′i, X′i, m′i, yi} to the next signer (i+1).

17. The signer apparatus of claim 16, wherein: m′1=m1=m; m2=m3 . . . =mL=empty message; said signer i apparatus receives information {ID′i−1, X′i−1, m, yi−1} from said signer (i−1); and said sending means sends out said information {ID′i, X′i, m, yi} to the next signer (i+1).

18. The signer apparatus of claim 16 or 17, wherein said ID′i=(ID′i−1, IDi) is replaced with ID′i=(ID′i−1, Ii).

19. The signer apparatus of claim 16 or 17, wherein: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said function G2 means is means for calculating said information Ii by conducting si-times group-calculations of said parameter g using said parameter p; and said function Φ means is means for calculating said information Xi by conducting ri-times group-calculations of said parameter g using said parameter p.

20. The signer apparatus of claim 19, wherein: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said parameter β=g is given by the following equation with said function G1: g=G1(q)=α(p−1)/qmod p; said function G2 means is means for calculating said function G2(si, g) by the following equation: Ii=G2(si, g)=gsi mod p said function Φ means is means for calculating said function Φ by the following equation: Xi=Φ(ri, g)=gri mod p; andsaid signature function means is means for calculating said signature function Sgi by the following equation using said ei, di, r1, si, q and yi−1: yi=Sgi(ei, di, si, ri, yi−1)=(yi−1+diri+eisi) mod q.

21. The signer apparatus of claim 16 or 17, wherein said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said function G2 means is means for calculating said information Ii, based on said function G2(si, P), by conducting si-times group-calculations of said parameter p; and said function Φ means is means for calculating said information Xi, based on said function Φ, by conducting ri-times group-calculations of said parameter P.

22. The signer apparatus of claim 21, wherein:said parameter β=P is given based on said function G1 by the following equation: G1(q)=PεEa,b(GF(q)); said function G2 means is means for calculating said function G2(si, P) by the following equation: Ii=G2(si, P)=siP over Ea,b(GF(q)); said function Φ means is means for calculating said function a by the following equation: Xi=Φ(ri, P)=riP over Ea,b(GF(q)); andsaid signature function means is means for calculating said signature function Sgi by the following equation using said ei, di, ri, si and yi−1: yi=Sgi(ei, di, si, ri, yi−1)=(yi−1+diri+eisi) mod k.

23. A signer apparatus for a system in which each of signers i=1, . . . , L, said L being an integer equal to or greater than 2, attaches a digital signature to an electronified document m′i and a verifier verifies said digital signatures en bloc, wherein said information containing a parameter q for each of said signers i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 by the use of said parameter q are published in advance, said signer apparatus comprising:storage means for storing said public parameters q and β of said system, identification information IDi of said each signer i and a first random number si as his secret information; function G2 means for generating information Ii=G2(si, β) with a function G2 through the use of said public parameter β and said first random number si, said information Ii being published as signer public information {IDi, Ii, fi, hi} together with a pair of one-way functions fi and hi and identification information IDi that said each signer i uses; random generator means for generating a second random number ri; function Φ means for setting said parameter β and said second random number ri in a function Φ to generate information Xi=Φ(ri, β); a pair of one-way function means for generating ei=fi(X′i, m′i) di=hi(X′i, m′i) with said pair of one-way functions fi and hi through the use of document information m′i containing a document mi to be signed and information X′i containing said information Xi, signature function means for generating, for information containing ei, di, si and ri, a signature yi=Sgi(ei, di, si, ri) with a signature function Sgi generated using said parameter q; and means for sending information {ID′i, X′i, m′i, yi}, as information containing said identification information IDi to a verifier.

24. The signer apparatus of claim 23, wherein: X′i=Xi, m′i=mi, and ID′i=IDi; and said sending means generates and sends information {IDi, Xi, mi, yi}, as said information {ID′i, X′i, m′i, yi}, to said verifier.

25. The signer apparatus of claim 24, wherein: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said function G2 means is means for calculating said information Ii, base on said function G2(si, g), by conducting si-times group-calculations of said parameter g using said parameter p; and said function Φ means is means for calculating said information Xi, based on said function Φ by conducting ri-times group-calculations of said parameter g using said parameter p.

26. The signer apparatus of claim 25, wherein: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said function G1 means for calculating said parameter β=g is means for calculating g=G1(q)=α(p−1)/qmod p; said function G2 means is means for calculating said function G2(si, g) by the following equation: Ii=G2(si, g)=gsi mod p said function Φ means is means for calculating said function Φ by the following equation: Xi=Φ(ri, g)=gri mod p; andsaid signature function means is means for calculating said signature function Sgi by the following equation using said ei, di, ri, si, and q: yi=Sgi(ei, di, si, ri)=(diri+eisi) mod q.

27. The signer apparatus of claim 24, wherein said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said function G2 means is means for calculating said information Ii, based on said function G2(si, P), by conducting si-times group-calculations of said parameter p; and said function Φ means is means for calculating said information Xi, based on said function Φ, by conducting ri-times group-calculations of said parameter P.

28. The signer apparatus of claim 27, wherein:said parameter β=P is given based on said function G1 by the following equation: G1(q)=PεEa,b(GF(q)); said function G2 means is means for calculating said function G2(si, P) by the following equation: Ii=G2(si, P)=siP over Ea,b(GF(q)); said function Φ means is means for calculating said function Φ by the following equation: Xi=Φ(ri, P)=riP over Ea,b(GF(q)); andsaid signature function means is means for calculating said signature function Sgi by the following equation using said ei, di, ri and si: yi=Sgi(ei, di, si, ri)=(diri+eisi) mod k.

29. A verifier apparatus for a system in which each of a series of signers i=1 to L, L being an integer equal to or greater than 2, attaches a digital signature to an electronified document m′i and a verifier verifies the digital signatures of the signers en bloc, wherein information containing a parameter q for each of said signers, i, to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 by the use of said parameter q are published in advance, said verifier apparatus comprising:a pair of one-way function means for obtaining, from public information {IDi, Ii, fi, hi}, information Ii corresponding to identification information IDi contained in ID′L in information {ID′L, X′L, m′L, yL} received from the last one, L, of the series of signers and one-way functions fi and hi, and for calculating ei=fi(X′i, m′i) di=hi(X′i, m′i) through the use of said one-way functions fi and hi and information X′i and m′i contained in said received pieces of information X′L and m′L; function V means for obtaining Xi in said information X′i and for calculating Z′=V((Xi*di), (Ii*ei)|i=1, . . . , L) through the use of a function V containing a calculation (Xi*di) of di and Xi and a calculation (Ii*ei) of ei and Ii; function Γ means for obtaining W=Γ(yi*β) by a function Γ containing a calculation (yi*β) of yi and β; and comparison means supplied with said Z′ and W, for making a check to see if they match each other, and if they match each other, providing an output indicating that said received document (m1, . . . , mL) have been duly signed by L signer i apparatuses.

30. The verifier apparatus of claim 29, whereinX′i=(X′i−1, Xi), X′0=empty set m′i=(m′i−1, mi), m′0=empty set ID′i=(ID′i−1, IDi), ID′0=empty set y0=empty set.

31. The verifier apparatus of claim 30, wherein: m′i=m1=m; m2=m3 . . . =mL=empty sets; said verifier apparatus receives signed information {IDL, XL, mL, yL} directly from said last signer L.

32. The verifier apparatus of claim 30 or 31, wherein said ID′i=(ID′i−1, IDi) is replaced with ID′i=(ID′i−1, Ii).

33. The verifier apparatus of claim 30 or 31, wherein: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said function V means is means for obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every i from 1 to L; and said function Γ means is means for obtaing W by conducting yL-times group-calculations of said parameter g using received yL and said pieces of public information p and q.

34. The verifier apparatus of claim 33, wherein: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said parameter β=g is given by the following equation with said function G1: g=G1(q)=α(p−1)/qmod p; said function V means is means for calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,…⁢ ,L)= ⁢X1d1⁢I1e1⁢⋯⁢ ⁢XLdL⁢ILeL⁢ ⁢mod⁢ ⁢p;andsaid function Γ means is means for calculating said function Γ by the following equation: W=Γ(yi*g)=gyL mod p.

35. The verifier apparatus of claim 30 or 31, wherein said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said function V means is means for obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every i from 1 to L; and said function Γ means is means for calculating W by yL-times calculations of said parameter P on said elliptic curve using said received information yL and said public information P.

36. The verifier apparatus of claim 35, wherein:said function G1 for calculating said parameter β=P is given by the following equation: G1(q)=PεEa,b(GF(q)); said function V means is means for calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,⋯⁢ ,L)= ⁢(d1⁢X1+⋯+dL⁢XL+e1⁢I1+⋯+eL⁢IL)⁢ ⁢over⁢ ⁢Ea,b⁡(GF⁡(q));andsaid function Γ means is means for calculating said function Γ by the following equation: W=Γ(yL*P)=yLP over Ea,b(GF(q)).

37. A verifier apparatus for a system in which each of signers i=1 to L, L being an integer equal to or greater than 2, attaches a digital signature to an electronified document m′i and a verifier verifies the digital signatures of the signers en bloc, wherein information containing a parameter q for each of said signers, i, to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 by the use of said parameter q are published in advance, said verifier apparatus comprising:a pair of one-way function means for obtaining, from public information {IDi, Ii, fi, hi} information Ii corresponding to identification information IDi contained in ID′i in information {ID′i, X′i, m′i, yi} received from each of said signers, i, and one-way functions fi and hi, and for calculating ei=fi(X′i, m′i) di=hi(X′i, m′i) through the use of said one-way functions fi and hi and said received pieces of information X′i and m′i; function V means for obtaing Xi in said information X′i and for calculating Z′=V((Xi*di), (Ii*ei)|i=1, . . . , L) through the use of a function V containing a calculation (Xi*di) of di and Xi and a calculation (Ii*ei) of ei and Ii; function Γ means for obtaining W=Γ(Y*β) by a function Γ containing a calculation (Y*β) using β and an accumulated value Y of y1 to yL; and comparison means supplied with said Z′ and W, for making a check to see if they match each other, and if they match each other, providing an output indicating that said received document (m1, . . . , mL) have been duly signed by L signer i apparatuses.

38. The verifier apparatus of claim 35, wherein: X′i=Xi, m′i=mi, and ID′i=IDi.

39. The verifier apparatus of claim 36, wherein: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said function V means is means for obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every i from 1 to L; and said function Γ means is means for calculating an accumulated value Y using L received pieces of information yi, and generating, as said W, a value (g*Y) obtained by calculating Y times said parameter g using said Y and said pieces of public information p and q.

40. The verifier apparatus of claim 39, wherein: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said parameter β=g is given by the following equation with said function G1:  g=G1(q)=α(p−1)/qmod p;said function V means is means for calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,…⁢ ,L)= ⁢X1d1⁢I1e1⁢⋯⁢ ⁢XLdL⁢ILeL⁢ ⁢mod⁢ ⁢p;andsaid function Γ means is means for calculating said accumulated value Y by the following equation: Y=∑i=1L⁢yi⁢ ⁢mod⁢ ⁢qand calculating said function Γ by the following equation:W=Γ(Y*g)=gYmod p.

41. The verifier apparatus of claim 40, wherein said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said function V means is means for obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every i from 1 to L; and said function Γ means is means for calculating W by yL-times calculations of said parameter P on said elliptic curve using said received information yL and said public information P.

42. The verifier apparatus of claim 41, wherein:said function G1 for calculating said parameter β=P is given by the following equation: G1(q)=PεEa,b(GF(q)); said function V means is means for calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,⋯⁢ ,L)= ⁢(d1⁢X1+⋯+dL⁢XL+e1⁢I1+⋯+eL⁢IL)⁢ ⁢over⁢ ⁢Ea,b⁡(GF⁡(q));andsaid function Γ means is means for calculating said function Γ by the following equation: W=Γ(Y*P)=YP over Ea,b(GF(q)) where Y=∑i=1L⁢yi⁢ ⁢mod⁢ ⁢k.

43. A recording medium for a signer apparatus which has recorded thereon a program which is used in said signer apparatus in a system in which: each of a series of signers, i, attaches a digital signature to an electronified document m′i and a verifier verifies said digital signatures en bloc; i=1, . . . , L, L being an integer equal to or greater than 2; information containing a parameter q for each signer i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 through the use of said parameter q is published in advance; and information Ii=G2(si, β) pregenerated by said each signer i using said public parameter β and a secret random number si, a pair of one-way functions fi and hi for use by said each signer i and identification information IDi are published as signer public information {IDi, Ii, fi, hi} in advance; said program comprising the steps of:(a) generating a second random number ri; (b) setting said parameter β and said second random number ri in a function Φ to generate information Xi=Φ(ri, β); (c) generating ei=fi(X′i, m′i) di=hi(X′i, m′i) with said one-way functions fi and hi through the use of document information m′i containing said document mi to be signed and said information X′i containing said information Xi; (d) generating, for information containing ei, di, si, ri and yi−1, a signature yi=Sgi(ei, di, si, ri, yi−1) with a signature function Sgi generated using said parameter q; and (e) sending information {ID′i, X′i, m′i, yi}, containing said identification information IDi as identification information ID′i, to the next signer (i+1), the last signer L sending the information {ID′L, X′L, m′L, m′L, yL} to a verifier as a final destination.

44. The recording medium of claim 43, wherein, in said program;X′i=(X′i−1, Xi), X′0=empty set m′i=(m′i−1, mi), m′0=empty set ID′i=(ID′i−1, IDi), ID′0=empty set y0=0; said signer i receives signed information {ID′i−1, X′i−1, m′i−1, yi−1} from a signer (i−1), then executes said steps (a) through (d) based on said received information.

45. The recording medium of claim 44, wherein, in said program: m′1=m1=m; m2=m3 . . . =mL=empty message; said signer i receives information {ID′i−1, X′i−1, m, yi−1} from said signer (i−1), then executes said steps (a) through (d) based on said received information, and sends out information {ID′i, X′i, m, yi} via said signer (i+1) in step (e).

46. The recording medium of claim 44 or 45, wherein said ID′i=(ID′i−1, IDi) is replaced with ID′i=(ID′i−1, Ii) in said program.

47. The recording medium of claim 44 or 45, wherein, in said program: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said information Ii is obtained in advance by conducting si-times group-calculation of said parameter g using said parameter p; and said step (b) is a step of obtaining Xi by conducting ri-times group-calculations of said parameter g using said parameter p.

48. The recording medium of claim 47, wherein, in said program: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said parameter β=g is given in advance with said function G1 by the following equation: g=G1(q)=α(p−1)/qmod p; said information Ii is given in advance with said function G2 by the following equation:  Ii=G2(si, g)=gsi mod p;said step (d) is a step of calculating said information Xi with said function Φ by the following equation: Xi=Φ(ri, g)=gri mod p; andsaid step (d) is a step of calculating said signature function Sgi by the following equation using said ei, di, ri, si, q and yi−1: yi=Sgi(ei, si, ri, yi−1)=(yi−1+diri+eisi) mod q.

49. The recording medium of claim 44 or 45, wherein, in said program: said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said information Ii is obtained in advance with said function G2(si, P) by conducting si-times group-calculations of said parameter P; and said step (b) is a step of obtaining said information Xi with said function Φ by conducting ri-times group-calculations of said parameter P.

50. The recording medium of claim 49, wherein, in said program: said parameter β=P is given based on said function G1 by the following equation:G1(q)=PεEa,b(GF(q)); said information Ii is calculated with said function G2 by the following equation: Ii=G2(si, P)=siP over Ea,b(GF(q)); said step (b) is a step of calculating said information Xi with said function Φ by the following equation: Xi=Φ(ri, P)=riP over Ea,b(GF(q)); andsaid step (d) is a step of calculating said signature function Sgi by the following equation using said ei, di, ri, si and yi−1: yi=Sgi(ei, di, si, ri, yi−1)=(yi−1+diri+eisi) mod k.

51. A recording medium for a signer apparatus which has recorded thereon a program which is used in said signer apparatus in a system in which: each of signers, i, attaches a digital signature to an electronified document m′i and a verifier verifies said digital signatures en bloc; i=1, . . . , L, L being an integer equal to or greater than 2; information containing a parameter q for each signer i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 through the use of said parameter q is published in advance; and information Ii=G2(si, β) pregenerated by said each signer i using said public parameter β and a secret random number si, a pair of one-way functions fi and hi for use by said each signer i and identification information IDi are published as signer public information {IDi, Ii, fi, hi} in advance; said program comprising the steps of:(a) generating a second random number ri; (b) setting said parameter β and said second random number ri in a function Φ to generate information X1=Φ(ri, β); (c) generating ei=fi(X′i, m′i) di=hi(X′i, m′i) with said one-way functions fi and hi through the use of document information m′i containing said document mi to be signed and said information X′i, containing said information Xi; (d) generating, for information containing ei, di, si, and ri, a signature yi=Sgi(ei, di, si, ri) with a signature function Sgi generated using said parameter q; and (e) sending information {ID′i, X′i, m′i, yi}, containing said identification information IDi as identification information ID′i, to a verifier.

52. The recording medium of claim 51, wherein, in said program: X′i=Xi, m′i=mi, and ID′i=IDi; and said signer i executes said steps (a) through (e), thereby generating and sending information {IDi, Xi, mi, yi}, as said information {ID′i, X′i, m′i, yi}, individually to said verifier.

53. The recording medium of claim 52, wherein, in said program: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said information Ii is obtained in advance with said function G2(si, g) by conducting si-times group-calculations of said g using said p; and said step (b) is a step of obtaining said information Xi with said function Φ(ri, g) by conducting ri-times group-calculations of said g using p.

54. The recording medium of claim 53, wherein, in said program: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said parameter β=g is given in advance with said function G1 by the following equation: g=G1(q)=α(p−1)/qmod p; said information Ii is given in advance with said function G2 by the following equation: Ii=G2(si, g)=gsi mod p; said step (b) is a step of calculating said information Xi with said function Φ by the following equation: Xi=Φ(ri, g)=gri mod p; andsaid step (d) is a step of calculating said signature function Sgi by the following equation using said ei, di, ri, si and q: yi=Sgi(ei, di, si, ri)=(diri+eisi) mod q.

55. The recording medium of claim 52, wherein, in said program: said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said information Ii is obtained in advance with said function G2(si, P) by conducting si-times group-calculations of said parameter P; and said step (b) is a step of obtanig said information Xi with said function Φ by conducting ri-times group-calculations of said parameter P.

56. The recording medium of claim 55, wherein, in said program: said parameter β=P is given based on said function G1 by the following equation:G1(q)=PεEa,b(GF(q)); said information Ii is calculated with said function G2 by the following equation: Ii=G2(si, P)=siP over Ea,b(GF(q)); said step (b) is a step of calculating said information Xi with said function Φ by the following equation:  Xi=Φ(ri, P)=riP over Ea,b(GF(q));andsaid step (d) is a step of calculating said signature function Sgi by the following equation using said ei, di, ri and si: yi=Sgi(ei, di, si, ri)=(diri+eisi) mod k.

57. A recording medium for a verifier apparatus which has recorded thereon a program which is used in said verifier apparatus in a system in which: each of a series of signers, i, attaches a digital signature to an electronified document m′i and a verifier verifies said digital signatures en bloc; i=1, . . . , L, L being an integer equal to or greater than 2; and information containing a parameter q for each signer i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 through the use of said parameter q is published in advance; said program comprising the steps of:(a) obtaining, from public information {IDi, Ii, fi, hi}, information Ii corresponding to identification information IDi contained in ID′i in information {ID′L, X′L, m′L, yL} received from the last signer L of the series of said signers and one-way functions fi and hi, and calculating ei=fi(X′i, m′i) di=hi(X′i, m′i) through the use of said one-way functions fi and hi and information X′i and m′i contained in said received pieces of information X′L and m′L; (b) obtaining Xi in said information X′i and calculating Z′=V((Xi*di), (Ii*ei)|i=1, . . . , L)  by a function V containing a calculation (Xi*di) of di and Xi and a calculation (Ii*ei) of ei and Ii; (c) obtaining W=Γ(y1*β) by a function Γ containing a calculation (yi*β) of yi and β; and (d) receiving said values Z′ and W, then making a check to see if they match each other, and if they match each other, providing an output indicating that said received documents (m1, . . . , mL) have been duly signed by L signers.

58. The recording medium of claim 57, wherein, in said program;X′i=(X′i−1, Xi), X′0=empty set m′i=(m′i, mi), m′0=empty set ID′i=(ID′i−1, IDi), ID′0=empty set y0=0; when receiving signed information {ID′L, X′L, m′L, yL} from the last signer L, said verifier executes said steps (a) through (d) based on said received information.

59. The recording medium of claim 58, wherein, in said program: m′1=m1=m; m2=m3 . . . =mL=empty message; said verifier receives signed information {ID′L, X′L, m, yL} from said signer L, and executes said steps (a) through (d) based on said received information.

60. The recording medium of claim 58 or 59, wherein said ID′i=(ID′i−1, IDi) is replaced with ID′i=(ID′i−1, Ii) in said program.

61. The recording medium of claim 58 or 59, wherein: in said program: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said step (b) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every i from 1 to L; and said step (c) is a step of obtaining W by conducting yL-times group-calculations of said parameter g using received yL and said pieces of public information p and q.

62. The recording medium of claim 61, wherein, in said program: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said parameter β=g is given in advance by the following equation with said function Gi: g=G1(q)=α(p−1)/qmod p; said step (b) is a step for calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,…⁢ ,L)= ⁢X1d1⁢I1e1⁢⋯⁢ ⁢XLdL⁢ILeL⁢ ⁢mod⁢ ⁢p;andsaid step (c) is a step of calculating said function Γ by the following equation: W=Γ(yi*g)=gyL mod p.

63. The recording medium of claim 58 or 59, wherein, in said program: said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said step (b) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every i from 1 to L; and said step (c) is a step of calculating W by yL-times calculations of said parameter P on said elliptic curve using said received information yL and said public information P.

64. The recording medium of claim 63, wherein, in said program: said function G1 for calculating said parameter β=P is given in advance by the following equation:G1(q)=PεEa,b(GF(q)); said step (b) is a step of calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,⋯⁢ ,L)= ⁢(d1⁢X1+⋯+dL⁢XL+e1⁢I1+⋯+eL⁢IL)⁢ ⁢over⁢ ⁢Ea,b⁡(GF⁡(q));andsaid step (c) is a step of calculating said function Γ by the following equation: W=Γ(yL*P)=yLP over Ea,b(GF(q)).

65. A recording medium for a verifier apparatus which has recorded thereon a program which is used in said verifier apparatus in a system in which: each of signers, i, attaches a digital signatures to an electronified document m′i and a verifier verifies said digital signatures en bloc; i=1, . . . L, L being an integer equal to or greater than 2; and information containing a parameter q for each signer i to generate a signature function Sgi and a parameter β=G1(q) obtained with a function G1 through the use of said parameter q is published in advance; said program comprising the steps of:(a) obtaining, from public information {IDi, Ii, fi, hi}, information Ii corresponding to identification information IDi contained in ID′i in information {ID′i, X′i, m′i, yi} received from each of said signers, i, and one-way functions fi and hi, and calculating ei=fi(X′i, m′i) di=hi(X′i, m′i) through the use of said one-way functions fi and hi and said received pieces of information X′i and m′i; (b) obtaining Xi in said information X′i and calculating Z′=V((Xi*di), (Ii*ei)|i=1, . . . , L) by a function V containing a calculation (Xi*di) of di and Xi and a calculation (Ii*ei) of ei and Ii; (c) obtaining W=Γ(Y*β) by a function Γ containing a calculation (Y*β) using β and an accumulated value Y of y1 to yL; and (d) receiving said values Z′ and W, then making a check to see if they match each other, and if they match each other, providing an output indicating that said received documents (m1, . . . , mL) have been duly signed by L signer i apparatuses.

66. The recording medium of claim 65, wherein, in said program: X′i=Xi, m′i=mi, and ID′i=IDi; and said verifier receives signed information {IDi, Xi, mi, yi} individually from each signer i, and executes said steps (a) through (d).

67. The recording medium of claim 66, wherein, in said program: letting the number of elements of a group be represented by p, letting an element g of said group, at which a group calculation starts, be represented by said parameter β, and letting an integer, with which when said element g is group-calculated q times, said calculation returns to g, be represented by said parameter q, these parameters {p, q, g} are published as system public information;said step (b) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by ei-times multi-component group-calculations of Ii for every i from 1 to L; and said step (c) is a step of calculating an accumulated value Y using L received pieces of information yi and said public information q and calculating, as said W, a value (g*Y) obtained by operating Y times said parameter g using said pieces of public information p and q.

68. The recording medium of claim 67, wherein, in said program: said p and q are primes bearing the relationship of 1=p mod q; letting a primitive element of (Z/pZ)* be represented by α,said parameter β=g is given by the following equation with said function G1: g=G1(q)=α(p−1)/qmod p; said step (b) is a step of calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,…⁢ ,L)= ⁢X1d1⁢I1e1⁢⋯⁢ ⁢XLdL⁢ILeL⁢ ⁢mod⁢ ⁢p;andsaid step (c) is a step of calculating said accumulated value Y by Y=∑i=1L⁢yi⁢ ⁢mod⁢ ⁢qand calculating said function Γ by the following equation:W=Γ(Y*g)=gYmod p.

69. The recording medium of claim 66, wherein, in said program: said parameter q is a parameter of a definition field GF(q) of an elliptic curve Ea,b(GF(q)), and letting a base point of an order k on said elliptic curve be represented by said parameter β and a parameter of said elliptic curve by a, bεGF(q), these parameters {q, a, b, P,k} are published as system public information; and wherein:said step (b) is a step of obtaining Z′ by sequentially calculating values (Xi*di) obtained by di-times multi-component group-calculations of Xi and values (Ii*ei) obtained by conducting ei-times multi-component group-calculations of Ii for every i from 1 to L; and said step (c) is a step of calculating W by conducting yL-times calculations of said parameter P on said elliptic curve using said received information yL and said public information P.

70. The recording medium of claim 69, wherein, in said program: said function G1 for calculating said parameter β=P is given in advance by the following equation:G1(q)=PεEa,b(GF(q)); said step (b) is a step of calculating said function V by the following equation: Z′= ⁢V⁡((Xi*di),(Ii*ei)|i=1,⋯⁢ ,L)= ⁢(d1⁢X1+⋯+dL⁢XL+e1⁢I1+⋯+eL⁢IL)⁢ ⁢over⁢ ⁢Ea,b⁡(GF⁡(q));andsaid step (c) is a step of calculating said function Γ by the following equation: W=Γ(Y*P)=YP over Ea,b(GF(q)) where Y=∑i=1L⁢yi⁢ ⁢mod⁢ ⁢k.