1. Field of the Invention
The present invention relates to a participation authority management system for use in electronic access, electronic bidding, electronic lottery, electronic petition, electronic voting or the like.
2. Description of the Prior Art
Conventionally, an anonymous participation system using blind signature has been studied. Blind signature refers to a system in which a signer signs without seeing the signed contents. For example, in the case of electronic voting, data involved in the participation is the voting contents of the voter himself/herself.
Thus, electronic voting can be conducted as follows. First, a participant subsystem (presenter) authorized to vote proves before a manager subsystem that the presenter is authorized to vote and then has the manager subsystem sign the voting contents by section of blind signature.
A voting statement with the signature of this manager subsystem affixed is sent to a verification subsystem. The verification subsystem regards the voting statement submitted with the signature of the manager subsystem as a voting statement sent by an eligible voter To prevent an identical participant subsystem from participating in an identical voting session two or more times, it is determined that voting data which varies from one participant subsystem to another should be used and that the manager subsystem should issue a blind signature to each participant subsystem only once.
In the case where voting contents with the same signature are sent, this makes it possible to determine that the same participant subsystem has attempted to vote twice. Since blind signature is used, even the manager subsystem cannot know to which participant subsystem the voting statement with the signature has been issued, which makes it possible to maintain anonymity.
Likewise, an electronic voting system using anonymous certificates with blind signature is also under study. In the conventional example above, the participant subsystem needs to have the manager subsystem issue a blind signature every time the participant subsystem participates in voting, that is, for every voting session. Therefore, the following describes a conventional case where a participant subsystem can participate in electronic voting any number of times with a single registration procedure.
First, the participant subsystem proves before the manager subsystem that the participant subsystem is a participant subsystem authorized to anonymously participate, then has the manager subsystem sign its own public key by section of blind signature. The public key with this signature of the manager subsystem affixed is called “anonymous certificate”.
Next, the participant subsystem signs the voting contents with its own secret key and sends the signed voting contents and the anonymous certificate to a verification subsystem. The verification subsystem confirms that the anonymous certificate submitted is a public key with the signature of the manager subsystem affixed and that the signature of the voting statement can be correctly verified based on this public key, and when the confirmation is obtained, regards this as a voting statement sent by an eligible voter. Whether an identical participant subsystem has not participated in an identical voting session more than once is confirmed by the absence of other voting statements based on the same anonymous certificate.
Use of blind signature makes it unknown even to the manager subsystem to which participant subsystem an anonymous certificate has been issued, which makes it possible to maintain anonymity. However, if an identical participant subsystem votes in two voting sessions using an identical anonymous certificate, it will be revealed that the same participant subsystem has participated.
Next, group signature will be explained below. This is a system in which even if two or more signatures are affixed it using an identical anonymous certificate, whether the same signer has signed or not is kept concealed. This technique is described in detail in a paper called “Efficient group signature schemes for large groups” in the international conference CRYPTO '97 by J. Camenisch and M. Stadler.
First, the participant subsystem proves before the manager subsystem that the participant subsystem is a participant subsystem that belongs to a group authorized to participate anonymously and then has the manager subsystem issue a group secret key.
Next, data to be sent is signed with this secret key and the signed data is sent to the verification subsystem.
The verification subsystem confirms that the data submitted has a signature verifiable by a group public key affixed and when the confirmation is obtained, this can be regarded as the data sent by a participant subsystem belonging to an eligible group. Use of group signature makes it impossible to identify the particular participant subsystem in the group to which the group secret key used for generating each signature is belonged, which makes it possible to maintain anonymity.
However, with this system even if an identical participant subsystem has sent data more than once to an identical session, there is no way to verify whether the two signatures are affixed by using an identical group secret key or not, and therefore this system cannot be used for applications such as electronic voting which must prevent double voting.
A technology similar to group signature, is escrow identification, which is described in detail in a paper called “Identity Escrow” in the international conference CRYPTO '98 by J. Kilian and E. Petrank. However, this technology does not provide section for determining whether two identification information pieces are issued from an identical participant subsystem or not, either.
A technology called “subgroup signature” is available, which is a technology using group signature whose number of signatures is equal to the number of different participant subsystems. This technology is described in detail in a paper called “Some open issues and new directions in group signatures” in the international conference Financial Cryptography '99 by G. Ateniese and G. Tsudik. However, since all participant subsystems provide signature for common data, this technology cannot be used for voting in which data to be sent varies from one participant to another.