The present invention relates to a digital signature system that generates and verifies a digital signature for the purpose of attesting to the integrity of an electronic document and certifying the person who prepared that document.
Digital signatures are used extensively for preventing the fabrication or falsification of electronic documents (attestation of integrity) and for personal authentication. With ordinary digital signature systems, the signer generates his or her own secret key paired with a public key in advance, and has the public key made public. Generally, the secret key is stored on an IC card or the like and managed personally by the signer so that the key may be used only by the signer and kept secret to other people. The signer can generate his or her signature on a given electronic document using the secret key. The verifier can verify the signature paired with the electronic document (both not fabricated or falsified) using the public key. For example, the algorithms for such digital signatures include RSA signature, DSA, ElGamal signature, Schnorr signature, elliptic curve DSA, elliptic curve ElGamal signature, and elliptic curve Schnorr signature.
With the digital signature system, however, if the owner of the public key is falsely impersonated, the validity of the signature is lost. For example, suppose that a document prepared and signed by signer A is falsified by wrongdoer B, that the signature of signer A is replaced with that of wrongdoer B, and that the public key of wrongdoer B is made public falsely as the public key of signer A. In such a case, the verifier of signature will accept the document falsified by wrongdoer B as a valid document prepared by signer A.
In order to circumvent the above problem, PKI (Public Key Infrastructure) has been utilized (see Non Patent Literature 1). With PKI, a set of a public key and data such as the ID of the public key owner is provided with a signature by a trustworthy third party (certification authority). This signature is given as a certificate. The verifier first verifies the signature of the certification authority included in the signer's certificate, and verifies the signature of the electronic document of interest using the public key included in the certificate. In order to further ensure the validity of the public key from the certification authority, a signature of a higher-order certification authority is attached to the signature of the certification authority. In this manner, PKI predicates overall trustworthiness on the assumption that, with dependencies of trust generally formed in a tree structure, all signers place their confidence in the certificates of the highest-order certification authority. (Non Patent Literature 1: Carlisle Adams and Steve Lloyd, “Understanding Public-key Infrastructure: Concepts, Standards, and Deployment Considerations,” Published by Macmillan Technical Publishing 1999)
Also, PGP (Pretty Good Privacy) is used as software and a standard primarily for encrypting and signing e-mails (see Non Patent Literature 2). PGP adopts the concept “Web-of-trust,” to be discussed below, as a solution different from that of PKI to the above problem. Using his or her secret key, a PGP user may attach his or her signature to the public key of any other user. For example, user A may identify user B using some appropriate method and attach his or her signature to user B's public key. User C is assumed to identify user A using some suitable method and thus trust the public key of this user. Suppose now that user B sends user C an e-mail signed with user B's secret key along with user B's public key signed with user A's secret key. Even though user C does not know (trust) user B, user C trusts user A's public key, so that user B's signed public key may be verified using user A's public key, whereby the validity of user B's public key and that of the e-mail verified using that public key are ascertained. This is the concept of “Web-of-trust,” which means that the public key signed by a trustworthy user can be trusted. (Non Patent Literature 2: Zimmermann, P. “The Official PGP User's Guide,” Cambridge, Mass.: MIT Press, 1997 (fourth printing).)
Also proposed has been a digital signature method (ID-based signature) whereby the user ID (e.g., user's mail address) itself is used as a public key (see Non Patent Literature 3). With the ID-based signature scheme, the user ID serves as the public key of each user. For this reason, there is no need to issue a certificate for the public key. However, the signer needs to have a trustworthy third party, called the Private Key Generator (PKG), generate and issue a secret key corresponding to the user ID. At this point, the PKG using some suitable method needs to verify that the person applying for a secret key is indeed the person in possession of the user ID in question. (Non Patent Literature 3: Adi Shamir, “Identity-Based Cryptosystems and Signature Schemes,” Advances in Cryptology: Proceedings of CRYPTO 84, Lecture Notes in Computer Science, Vol. 196, 1985, pp. 47-53).
JP-2003-323116-A (Patent Literature 1) discloses a method aimed at simplifying the identification procedure for allowing a user to register a public key with PKI. The disclosed method involves carrying out the following process for generating a secret key (SK) for public key encryption using biometric data B and secrete data R and for identifying the user in question upon receipt of a public key certificate issued by the certification authority: With regard to the secret key SK for RSA public key encryption generated using the secret data R and first biometric data B of the user, second biometric data B′ of the user is obtained. And using the second biometric data B′, it is verified whether the secret key SK has been generated from the secret data R and the first biometric data B.