This invention relates to a digital signature technology for long-term assurance of authenticity of log data or data that occurs in large quantity at any time.
Increasing attention is being drawn on technologies for long-term assurance of the authenticity of log data that occurs in large quantity at any time, such as: recording of linkage information on a resident ID system on which consideration is being advanced by the Japanese government; and storage of access histories relating to use/utilization of medical information and transaction data in financial systems.
There is a digital signature as a technology for assuring the authenticity of electronic data, but the digital signature expires in three to five years, which causes a problem when long-term storage thereof is set as a purpose. As a method for solving this problem, at a time of assigning a signature to every piece of data, a hash value is calculated after it is confirmed that the first previous piece of signed data has not been tampered, and the signature is assigned along with signature target data. Therefore, all the pieces of data form a hash chain by including the hash value of the first previous piece of signed data. By forming the hash chain, it is possible to link the past signature to the latest signature with the hash value, which allows the assurance of the past signature by using the latest signature. In other words, even when the signature expires, it is possible to assure the authenticity of the past data by tracing the hash chain from data (hereinafter referred to as “trust point”) that is assured by an unexpired signature. In other words, the wording “tracing the hash chain” represents using the signed data forming the hash chain to repeat an operation for verifying that the first previous piece of signed data has not been tampered by comparing the hash value of the first previous piece of signed data included in the verified data with the hash value calculated from the first previous piece of signed data.
However, when the long-term assurance of the authenticity of a large quantity of log data is set as a purpose, assigning signatures to all the pieces of log data increases a load on a computer. Further, when a given piece of log data is tampered, the authenticity of the log data earlier than the given piece is no longer assured. In addition, to verify the authenticity of specific log data, it is necessary to examine all the hash chains one by one from the trust point (log data with an unexpired signature) up to the specific log data, which raises a problem of increasing the load on the computer.
In order to solve those problems, in WO 2008/026238, there is disclosed a method of reducing a frequency at which a signature is assigned to the data forming the hash chain down to once every a plurality of pieces, to thereby reduce the load on the computer. At this time, a method of saving the hash value of the first previous piece of data to a tamper-resistant apparatus is disclosed as a method of assuring that the first previous piece of data has not been tampered. In other words, it is possible to confirm that the first previous piece of data has not been tampered when the verification is performed by comparing the hash value saved to the tamper-resistant apparatus with the hash value calculated from the first previous piece of data.
Further, as the assurance of the authenticity of the log data earlier than a given piece of log data performed when the given piece is tampered, there is disclosed a method of forming hash values of a plurality of pieces of log data to have a tree-like hierarchical structure by combining the hash values to take a hash value of the combined hash values, and limiting an influence range of tampering to a specific range when a lower part of the tree is tampered.