Portal field news

Portal field news


🏥 | Let's check the validity of digital signatures


Let's check the validity of the digital signature

If you write the contents roughly
By using an electronic signature, not only can you reduce the number of times you go to work, but you can also reduce costs and take sustainability-conscious actions by eliminating the need for paper that you have been using.

Due to the influence of the new coronavirus, such as promotion of remote work and introduction of web conferencing, changes in working styles have been required ... → Continue reading

 Occupational Health Newspaper

Occupational health nurses, certified psychiatrists, psychiatric social workers, and registered dietitians deliver the latest information on health and mental health!It is operated by Dr. Trust, which has more than 2,800 industrial physician contracts.

Wikipedia related words

If there is no explanation, there is no corresponding item on Wikipedia.

Electronic signature

Electronic signature(Denshoshomei) is an electromagnetic record (Electronic document), Which is an electronic proof, in a paper document.seal,SignIt plays a role equivalent to (signature). mainlyIdentificationAndManipulation detectionIn combination with the signForgery-FalsificationIt is used to prevent (kaizan).

As a mechanism to realize electronic signature,Public key cryptographyBased on methodDigital signatureIs influential.JapanThen,Law Concerning Electronic Signature and Authentication BusinessArticle 3 of the "Guidelines for accreditation of specific certification business based onRSA,LD,ECDSA 3 methods are specified. Both are based on public key cryptography.

Need for digital signature

If there is a person (creator) listed in the document as the creator of a document, it is usually attached to the document that the document was really created by the creator. Proven by the author's seal or signature. However, electronic documents cannot be directly stamped or signed. Marks and signatures stamped on paperScannerEven if you capture it with and add the image to the document, the image of the seal or signature is easyCopy and PasteThere is no proof power because it can be done.

In order to popularize electronic trading, about electronic documents used for tradingCreator's warrantyとIdentity of contentA mechanism to realize (non-tampering) is required.

Creator's warranty
A mechanism that can certify the creator of an electronic document, which is equivalent to a stamp or signature used for ordinary paper documents.
Identity of content
Guarantee that the electronic document has not been tampered with, that is, a mechanism that can detect it if it has been tampered with.

Digital signature model

Digital signature methodKey generation algorithm,Signature (generation) algorithm,Verification algorithmThere are three algorithms.

The key generation algorithm is a preparatory algorithm, and the user who wants to sign must execute this algorithm in advance.When a user runs this algorithm, the algorithm is for that userPublic keyandSecret keyOutputs (data called). If you compare it to a seal, the private key isReal sealThe public key is the mount used for seal verification (Seal registration certificate) Corresponds to.

When the user executes the key generation algorithmSecurity parametersEnter a value called into this algorithm.Security parameters are a measure of the difficulty of forging signature text.Random numbers are also input to the key generation algorithm.Since a different random number is selected each time the key generation algorithm is executed, a different public / private key pair is assigned to each user.

Each user keeps the private key (corresponding to the registered seal) so that it cannot be used by others, while exposing the public key (corresponding to the seal stamp certificate) to everyone.Only the user knows (can use) the user's private key, whereas all users can easily know the user's public key.Public key and private key respectivelyVerification key,Signing keyAlso called.

A user who has completed preparations can digitally sign an electronic document using a private key (signature key) as many times as necessary.To digitally sign, first enter a message in the signature generation algorithm.Then the signature generation algorithm is the signer of the messageSignature textIs output. The user who created the signature is assigned to the signatureSignerThat.

The signer enters his private key along with the message when composing the signature.Since only the signer should know (can use) the signer's private key, no one other than the signer can create the same signature in the same way, and this property is electronic. It provides a basis for identifying the creator of the signed electronic document.

The signer sends the message and the signature text for it to other users.

User who received the message and signature (Verifier) Can verify whether the signature statement is correct by inputting these and executing the verification algorithm.At this time, the verifier also inputs the public key (verification key) of the signer (presumed user) into the verification algorithm. (Because the public key is public information, the verifier can know the signer's public key).

The verification algorithm determines whether the signature statement was really created by the user and outputs the result."The verification algorithm has accepted the signature statement A" or "The signature statement has validated" that the validation algorithm has determined that the signature statement is valid.It has passed".On the other hand, if the verification algorithm determines that the signature statement is invalid, "the verification algorithm rejects the signature statement A" or "the signature statement verifies the signature statement."Did not pass".

Public key authentication

When publishing the public key, it is desirable to publish it through a trusted third party.There are several known ways to associate each public key with the owner of the public key.The typical methods are the following two.

  1. A table in which a trusted third party associates each person's ID with the public key (Public key book) Create and publish.
  2. A trusted third partyCertificate AuthorityOperated byPKI Associate each person's ID with the public key using the mechanism of (Seal certificateCorresponds to).

Prevention of tampering

Generally, digital signatures are more than just personal authentication.Forgery-FalsificationIn many cases, the purpose is to prevent. In that case, the message input to the signature generation algorithm is not the document itself, but the documentManipulation detectionUse the sign.This also has the effect of making the size of the digital signature smaller than the size of the document.Inappropriate tamper detection code (eg instead of tamper detection code) CRC Such asError detectionIf a code) is used, forgery or tampering can be easily performed even if an electronic signature is applied.Therefore, the electronic signature may be evaluated including the tampering detection code used.

Estimating the authenticity of electronic documents

Article 228 of the Code of Civil ProcedureStipulates that "a document must prove that its establishment is genuine" (Article 228, paragraph 1).Civil actionSo, in order to use a document as evidence as having been created by the person listed as its creator (creator), first of all, that (the document was really created by its creator). We must prove that (= true establishment).

For example, in a lawsuit in which A sues B, in order to use the contract with A and B's signature seal as evidence, B really creates the contract (assuming that A is self-approved). You must first prove that you did. However, it is often difficult to prove an act (creating) performed at some point in the past.

To alleviate the burden, the Civil Procedure Code stipulates in Article 228, paragraph 4, that "a private document is presumed to be genuinely approved when it is signed or imprinted by the principal or his agent." Article 229 stipulates that "the authenticity of a document can be proved by contrasting handwriting or imprints."

As a result, if we prove that the signature and seal of you (attached as) in the contract is indeed yours, we can use the contract as evidence unless it is disproved. is there. If the contract is stamped with your own seal and the imprint matches that of your seal certificate, it is also easy to rule out that the seal is due to your intention. Estimated to.

Since the seal is stamped with the original seal of the second party and the seal stamp certificate is attached, the contract can be used as proof without spending a great deal of effort to prove the genuine establishment (unless the second party proves the fact contrary to it). You can do it.

Electronic signature method(Article 3) stipulates that an electronic document is presumed to have been genuinely established when its contents are digitally signed by the person himself / herself (Article 228), but this is the electronic document version of Article 4, Paragraph XNUMX of the Code of Civil Procedure. It can be said.

Definition of digital signature method

(Electronic) signature method((Denshi) Shomei Hoshiki, (digital) signature scheme) is a triplet (G, S, V) of the average polynomial time probability algorithm.

  1. G isKey generation algorithmIt is called (key generation algorithm), 1kWhen you enterPublic key-Secret keyOutput a pair (pk, sk). But here k isSecurity parameters.
  2. S isSignature algorithmCalled (shomei-, signing algorithm),'PlaintextWhen a pair of m and private key sk (m, sk) is entered, for plaintext m(Electronic) signature((Denshi) Shomeibun, (digital) signature) s is output.
  3. V isVerification algorithmIt is called (kensho-, verification algorithm), and when a set of plaintext m, signature statement s, and public key pk (m, s, pk) is input, the character string ACCEPT or REJECT is output. VpkWhen (m, s) = ACCEPT, the signature statement s is (for public key pk and plaintext m).Pass verification(Accept, "validIt is also called "), and when it is notDoes not pass verification(reject, "invalidIs also called ").


Digital signatures (G, S, V) must meet the following requirements:
Correctness: Signature text made by a legitimate signer passes verification.
Security: Only signature texts made by legitimate signers pass the verification.

However, the "legitimate signer" here refers to the owner of the private key corresponding to the public key used for verification.

Strict definition of requirements

Strict definition of legitimacy

For any plaintext m

Strict definition of safety

More stringently define the security requirements for digital signatures. There are several definitions of the security of the electronic signature method depending on what kind of goal is achieved under what conditions that "only the signature text made by a legitimate signer passes the verification". , Simply "safe"Existence non-counterfeiting against select document attacks(Existencial Unforgeability against Chosen Message Attack, abbreviated as EU-CMA) is usually referred to, so this definition is introduced here.

Is an electronic signature method, and k is a security parameter. Digital signature method for ATo be an attacker against. Using Attacker A,Experiment(experiment Game(Also called (game)).
First 1kIs used as an input to run the key generation algorithm to create a public / private key pair (pk, sk). Then pass pk and k to attacker A.
Attacker A is in the middle of an experimentSignature oracleYou can access O (sk, ・) any number of times. The signature oracle is the signature statement s = S for m using the private key sk when the plaintext m is sent from attacker A.skIt is an oracle that creates (m) and sends s to A.
The goal of attacker A is to output a pair (m, s) of plaintext m and signature sentence s that has passed verification and has not sent m to signature oracle O. If you can create such (m, s), A wins, otherwise A loses.
The above experiment can be written more formally as follows.


If ( ToI've heard that) Return LOSE
If () Return LOSE
Return WIN

The probability that A wins in the experimentI will write. (Note: Although this symbol is used relatively often, it is not necessarily a symbol that everyone has agreed with, so a word of explanation is required when using it).
However, the probabilities here are those when G, S, V, A internal random numbers are randomly selected.

Is the electronic signature system. For any mean polynomial time probability algorithm A, For knegligibleDigital signature system TheExistentially unforgeable against selective document attacksThat.

Representative electronic signature method

RSA signature,ElGamal signature,LDSignature, Schnorr signature, Cramer-Shoup signature, Ellipse ElGamal signature,Elliptic curve DSAVarious signature schemes such as signature and elliptic Schnorr signature are known.

RSA signature and ElGamal signature respectivelyPrime factorizationproblem,Body OfMultiplicative groupupperDiscrete logarithm problemIt is a signature system based on. These two signature schemes are particularly famous because they are signature schemes that were proposed in the early days of research on cryptography. However, RSA signatures are not CMA-EUF secure (because textbook RSA signatures are self-evidently counterfeitable) and ElGamal signatures are (although expected to be CMA-EUF secure) CMA-EUF secure. Not sure if EUF safe. The DSA signature is a modified version of the El Gamal signature and is the standard encryption of NIST in the United States, but the security is the same.

The Schnorr signature is the difficulty of the discrete logarithm problem on the multiplicative group of prime fields.Random oracleIt is a signature scheme that has been shown to be CMA-EUF secure under the assumption, and is as efficient as the ElGamal signature. Random oracle is a concept that is often used in research on cryptography, and is an idealized concept that the hash function "behaves sufficiently randomly". The random oracle assumption is an assumption that "a random oracle exists", but the random oracle is an idealized reality and cannot exist in reality.

Cramer-Shoup signatures are the first (and efficient) signature schemes that can be shown to be secure without using idealized assumptions like random oracles,Strong RSA AssumptionIt has been shown that CMA-EUF is secure under the condition that a signature can be created and verified with a calculation amount that is several times that of RSA encryption.

Signature schemes based on the discrete logarithm problem on the multiplicative group of prime fields such as ElGamal signature, DSA signature, and Schnorr signature, instead of the multiplicative group of prime fieldsElliptic curveIt is possible to reduce the amount of calculation by using a group and to shorten the signature length. The ElGamal signature and the Schnorr signature using the elliptic curve group are called the elliptic curve ElGamal signature, the elliptic curve DSA signature, and the elliptic Schnorr signature, respectively.

Related item

外部 リンク

Guideline for certification of specific certification business based on the law on electronic signature and certification business[Broken link] -Civil Affairs Bureau, Ministry of Justice


Back to Top