The present invention relates generally to digital signature techniques, and specifically to techniques for authenticating a digitally signed document.
Digital signature techniques add the function of the conventional seal to a digitized message such as an electronic document, and are attracting attention since the techniques make it possible to develop advanced applications of networks as seen in electronic commerce.
In conventional digital signature techniques, a digital signature generator applies a secret key that it secretly holds to a message M to be signed or to its hash value, which is a characteristic value as well as a message digest, to generate a digital signature A for the message M. Then, the message M is made public with the digital signature A attached to it. A digital signature verifier applies a public key paired with the above secret key to the digital signature A attached to the message M, and compares the result against the message M or its hash value. If they do not coincide, the message M may have been altered one way or another after the digital signature A was generated. Only when they coincide, therefore, can the verifier authenticate that the digital signature A was generated for the present message M.
However, such conventional digital signature techniques are often based upon an assumption that each digital signature generator maintains its own secret key in complete security. That is, it is assumed that the only person who can generate a digital signature which can be verified by use of a specific public key is a digital signature generator who lawfully holds a secret key paired with the public key.
What is really needed are techniques for determining whether a digital signature was generated by a digital signature generator, or if the digital signature was generated by a third party posing as the digital signature generator.