1. Field of the Invention
The invention relates to a digital signature generation apparatus, digital signature verification apparatus, and key generation apparatus, which exploit a common-key cryptosystem technique.
2. Description of the Related Art
In the present-day network society in which people communicate by exchanging lots of information such as e-mail messages and the like on networks, cryptosystem techniques are prevalently used as means for retaining information security and authenticity.
The cryptosystem techniques can be roughly classified into a common-key cryptosystem technique and public-key cryptosystem technique. The common-key cryptosystem technique is a cryptosystem based on a data stirring algorithm, can make high-speed encryption and decryption, and allows only two parties having a common key to make secret communications and authentication communications. The public-key cryptosystem technique is a cryptosystem based on a mathematical algorithm, and does not require prior key sharing although its encryption and decryption speeds are not higher than the common-key cryptosystem technique. The public-key cryptosystem technique is characterized in that a secret communication is implemented using a public key published by a sending partner, and an authentication communication can be made by applying a digital signature (by preventing spoofing) using a secret key of the sender.
For this reason, the digital signature based on the common-key cryptosystem technique is used as authentication means when high-speed processing is required between partners or devices or when one of a signature generation apparatus and a signature verification apparatus has lower performance in an environment in which a secret key can be shared. The digital signature based on the public-key cryptosystem technique is used when a secret key cannot be shared in online shopping sites and online sites of banks and securities companies doing business on the Internet or when the computation performances of both the signature generation apparatus and signature verification apparatus are high even in an environment in which a secret key can be shared.
As the typical public-key cryptosystem technique, RSA and elliptic curve cryptosystems are known, and digital signature schemes based on these techniques have been proposed. In the RSA cryptosystem, the difficulty of the prime factorization problem is the grounds for its security, and modulo exponentiation calculations are used as signature generation calculations and signature verification calculations. In the elliptic curve cryptosystem, the difficulty of the discrete logarithm problem on an elliptic curve is the grounds for its security, and point calculations on the elliptic curve are used as signature generation calculations and signature verification calculations. With these public-key cryptosystem techniques, a cryptanalysis (signature forgery method) associated with a specific key (public key) has been proposed, but a general cryptanalysis (signature forgery method) is unknown. Hence, serious security problems have not been found yet except for a cryptanalysis using a quantum computer (to be described later).
As another digital signature scheme based on the public-key cryptosystem, a scheme called SFLASH based on the multivariate cryptosystem which sets a problem of solving simultaneous equations formed using an extended theory of fields as the grounds for its security is known. However, prevailing attack methods against the multivariate cryptosystem are known, and a required key size must be increased to avoid that cryptanalysis. Hence, the practicality of this scheme is beginning to be viewed with suspicion.
Meanwhile, even the RSA and elliptic curve cryptosystems which are prevalently used in digital signature now are exposed to risk of decipher if a quantum computer appears. The quantum computer is a computer which can make massive parallel computations using a physical phenomenon called entanglement (based on a principle different from the current computers). To date, the quantum computer is a virtual computer whose operation is confirmed merely on the experimental basis, but research and development toward implementation is being made. Shor demonstrated in 1994 that algorithms which can efficiently solve the prime factorization and discrete logarithm problems using this quantum computer can be configured (P. W. Shot: “Algorithms for Quantum Computation: Discrete Log and Factoring”, Proceedings of the 35th Annual IEEE Symposium on Foundations of Computer Science, 1994).
That is, if the quantum computer is implemented, the RSA cryptosystem based on the prime factorization and the elliptic curve cryptosystem based on the discrete logarithm problem (on the elliptic curve) can be decrypted.
Under such circumstances, studies about digital signature based on the public-key cryptosystem which is still secure after implementation of the quantum computer have been made in recent years. As a scheme which can be implemented at present and whose cryptanalysis is difficult even by the quantum computer, a scheme called SFLASH based on the multivariate cryptosystem is known. However, as described above, since the multivariate cryptosystem requires a huge key size to warrant security for existing computers, its practicality is doubtful.
Furthermore, the public-key cryptosystem requires a larger circuit scale and longer processing time than the common-key cryptosystem. Hence, the public-key cryptosystem cannot be implemented in a low-power environment such as mobile terminals and the like, or a long processing time is required if it can be implemented. For this reason, a public-key cryptosystem which can be implemented even in a low-power environment is demanded.
In general, a digital signature based on the public-key cryptosystem is configured to find out a problem (such as the prime factorization problem, discrete logarithm problem, and the like) which is hard to calculate and to make generation of a digital signature on a message called plaintext (without knowing any secret key) equivalent to solution of the problem which is hard to calculate in terms of a computation volume. However, even if such problem which is hard to calculate is found, a digital signature which sets that problem as the grounds for its security cannot always be configured. If the problem which is too hard to calculate is set as the grounds for security, a problem of generation of a key becomes hard, resulting in a difficult configuration. On the other hand, if an easy problem is used to allow key generation, a digital signature is easily forged.
Therefore, creativity that can reconfigure a problem having a fine balance, i.e., a problem which is easy enough to generate a key but is not easy enough to decrypt (without knowing any generated secret key) is required. Owing to this difficulty, digital signatures based on not many public-key cryptosystems have been proposed.
In this way, conventionally, there is no digital signature system (a system for generating a key, generating a digital signature, and verifying the signature) based on the public-key cryptosystem, which can warrant security even after the advent of the quantum computer, can be securely implemented even by existing computers, and has feasibility in a low-power environment.