1. Field of the Invention
The present invention relates to a method and an apparatus for generating an integrated digital signature from distributed digital signatures, and a method and an apparatus for generating a digital document with a digital signature which are used in a service for generating a digital signature for a digital document in which it is assured that the digital signature is not forged one, that is, it is assured that the digital signature is not one generated by other means.
More particularly, the present invention relates to a method and an apparatus for generating an integrated digital signature from distributed digital signatures, and a method and an apparatus for generating a digital document with a digital signature in which a proper integrated digital signature can be generated from partial digital signatures even when a predetermined number of partial digital signature generation systems operate incorrectly.
In addition, the present invention relates to a method and an apparatus for generating an integrated digital signature from distributed digital signatures, and a method and an apparatus for generating a digital document with a digital signature for preventing the risk of theft of secret key in centralized digital signature systems.
In addition, the present invention relates to a method and an apparatus for generating an integrated digital signature from distributed digital signatures, and a method and an apparatus for generating a digital document with a digital signature for preventing weak points in robustness against security attacks and fault tolerance of a conventional distributed signature generation system in which every distributed partial digital signature systems should operate correctly for generating an integrated digital signature.
2. Description of the Related Art
Most of conventional distributed digital signature generation systems based on public-key cryptosystem use a trusted third party when generating a signature key used for the partial digital signature. In this case, there is a possibility that information on the signature key leaks from the third party. That is, the conventional distributed digital signature generation system has a weak point in that safety of the system is impaired if a secret is leaked from one point in the system. In other words, the system has a weak point in that there is a single point of compromise.
In a distributed digital signature generation system in which a digital signature can be generated from partial digital signatures only when every distributed signature system generates correct partial digital signature, there is a weak point for robustness against security attacks and fault tolerance in that the digital signature can not be generated if at least one distributed signature system in the plurality of distributed signature systems operates incorrectly.
A conventional distributed digital signature generation system which tries to overcome the weak point of the secret leaking and the weak point of robustness against security attacks and fault tolerance is disclosed in T. Wu et al.: “Building intrusion tolerant applications”, in Proceedings of 8th UNENIX Security Symposium, USENIX, 1999 (which will be referred to as a first conventional method). In this system, partial signature keys are generated by each of partial digital signature generation systems which are distributed by performing distributed processing without using the third party, and partial information on the partial signature key is exchanged each other. Then, the distributed digital signature generation can be performed if a predetermined number, which is called a threshold, of the partial digital signature generation systems in the whole partial digital signature generation systems operate properly.
In addition, a method for preventing key information from increasing is proposed in S. Miyazaki, K. Sakurai, M. Yung “On threshold RSA-signing with no dealer” in Proceedings of ICISC'99, pp. 197–207, Springer, 1999 (which will be referred to as a second conventional method).
In addition, a method for generating an integrated digital signature by combining the threshold number of the partial digital signatures by using the trusted third party, and for solving the problem that key information increases is disclosed in V. Shoup “Practical threshold signatures”, in Proceedings of Eurocrypto 2000” (which will be referred to as a third conventional method).
In addition, in Japanese patent application No.8-351565 “key management system having hierarchy, encryption system and distributed digital signature system” (which will be referred to as a fourth conventional method), a distributed digital signature system using threshold distribution of secret keys having hierarchical structure is proposed. The method of threshold distribution of secret keys is based on A. Shamir “How to share a secret” Communications of ACM, Vol.22, pp. 612–613, 1979 in which original secret key is calculated once by using a polynomial interpolation equation for generating the digital signature by distributed processing.
In addition, as a service of providing a timestamp to a digital document by using distributed processing systems based on public-key cryptosystem, there is Japanese patent application No.11-247994 “Distributed type timestamp certification apparatus and method and recording medium recording distributed timestamp certification program” (which will be called a fifth conventional method). The function realized in the system proposed in this document can be realized by using time as additional information which is added to an input digital document. This distributed type time certification apparatus has a feature that every distributed timestamping authority in a plurality of distributed timestamping authorities must generate correct partial timestamp in order to obtain an integrated timestamp, and a feature that correct timestamped certificate can not be issued if a part of the distributed timestamping authorities are incorrect. Thus, it provides means for preventing forgery of timestamped certificate by a part of distributed timestamping authorities.
However, according to the above-mentioned first conventional method, it is necessary that each partial digital signature generation system prepares a different partial signature key according to which group generates the integrated digital signature among groups each including the threshold number of the partial digital signature generation systems. Therefore, there is a problem in that key information increases.
In addition, when a group tries to generate a digital signature, but, fails to generate it since a part of the partial digital signature systems in the group do not function correctly, it is necessary to generate the signature by another group. Thus, there is another problem in that time complexity of generating partial digital signatures by the partial digital signature generation systems and communication between an integrated digital signature generation system and the partial digital signature generation systems increase.
As for the second conventional method, it is possible to solve one problem that the key information increases in the two problems of the first conventional methods. However, the second problem that time complexity of generating partial digital signatures by the partial digital signature generation systems and communication between an integrated digital signature generation system and the partial digital signature generation systems increase when a group fails to generate the signature remains unsolved. In addition, time complexity of generating digital signature from the partial digital signatures increases as the number of the partial digital signature generation systems increases so that there is a problem in that amount of the whole process of generating the signature increases. In addition, time complexity for verifying validity of the partial digital signatures is large. Thus, there is a problem in that time complexity for assuring that only correct partial signature keys are combined for generating an integrated digital signature is large.
The third conventional method is a method for generating the integrated digital signature by combining the threshold number of partial digital signatures and which can solve the problem that key information increases. However, also according to this method, time complexity of generating digital signature from the partial digital signatures increases as the number of the partial digital signature generation systems increases so that there is a problem in that the amount of the whole process of generating the signature increases. In addition, there is a problem in that time complexity for assuring that only correct partial signature keys are combined for generating an integrated digital signature is large.
As for the fourth conventional method, since original secret key is calculated once by a polynomial interpolation equation, the system which performs this calculation can know information of a secret key. Thus, there is a weak point in that a single point of compromise exists. In addition, this document does not disclose a method in which, when a predetermined number of holding systems of secret partial information try to generate a digital signature, and when a part of the partial information holding systems operate incorrectly, it is identified which partial information holding system operates incorrectly, and a digital signature is generated efficiently by using only correct systems by removing the incorrect systems.
As for the distributed type timestamp certification apparatus in the method of the fifth conventional method, there is a weak point in robustness against security attacks and fault tolerance since timestamped certificate can not be generated if at least one distributed timestamping authority functions incorrectly.