Abstract: An order-preserving encryption system has an encryption means which generates a ciphertext as a sum of data which complies with a distribution X determined in advance, and the encryption means generates the ciphertext using the distribution X represented in a format that data of a bit length determined at random is selected at random according to a distribution matching the bit length.

Abstract: A user apparatus connected to database apparatus via network comprises: unit that manages key information in order to encrypt and decrypt; storage unit that stores security configuration information of data and/or metadata; application response unit that determines whether or not encryption is necessary for database operation command, and if encryption is necessary, selects encryption algorithm corresponding to data and/or metadata, performs encryption, and transmits result to database control unit to cause database control unit to execute database operation, if encryption is not necessary, transmits database operation command to database control unit to cause database control unit to execute database operation, and receives processing result transmitted by database control unit, and if decryption or conversion of data and/or metadata of processing result is necessary, performs necessary decryption or conversion, and returns response to database operation command; and security configuration unit that configur

Abstract: A signature unit, in which a user device generates/transmits digital signature data to an authentication device, includes: a first function, which receives as input a plurality of subsets in which a plurality of characteristics of the users are classified; a second function, which generates a first encrypted text acquired by encrypting a user device public key with an identification device public key; a third function, which generates a second encrypted text, acquired by encrypting characteristic values belonging to a specific subset among the subsets with a characteristic value disclosure device public key; and a fourth function, which employs portions of a group public key and a member certificate to generates a signature of knowledge that denotes that data, of multiplication of a portion of the user device public key and all of the numerical values of a characteristic value certificate corresponding to each of the characteristics, satisfies the specific conditions.

Abstract: A key creating device creates a first public key and a first secret key of the electronic signature method satisfying the noncounterfeitability and a second public key and the first secret key of the chameleon commitment method. The signature device generates a commitment, a first random number according to the Com algorithm, and a first signature by using the first secret key. The signature device further generates a second random number according to the Cam algorithm by using the message written by adding a first signature to an object message, and creates an electronic signature by combining the first signature and the second random number. A verifying device receives the signed message written by adding the first signature included in the electronic signature to the object message, creates a commitment according to the ComVer algorithm, and performs verification by using the commitment and the first signature.

Abstract: An efficient and safe group signature scheme is provided. According to the present invention, an open unit is provided to not an issuer but an opener, and a data required for operating the open unit does not include a key pair of the issuer, so that it is possible to accurately operate the open unit even if the issuer generates the public key in an illegal manner. In addition, it is possible to prove that a key pair of a member cannot be counterfeited. It is possible to implement from a discrete logarithm assumption a feature that a cipher text, that is, a portion of a signature text can be decrypted only by the opener in a method which IS the same as a method representing that an ElGamal crypto scheme is safe.

Abstract: The user device includes: a recording unit which stores system parameters as respective parameters given in advance, a disclosure public key, a user public key, a user private key, a member certificate, and an attribute certificate; an input/output unit which receives input of the document from the user and an attribute the user intends to disclose; a cryptograph generating module which generates a cryptograph based on the inputted document, the attribute to be disclosed, and each of the parameters; a signature text generating module which generates a zero-knowledge signature text from the generated cryptograph; and a signature output module which outputs the cryptograph and the zero-knowledge signature text as the signature data. The user public key and the attribute certificate are generated by using a same power.

Abstract: An efficient and safe group signature scheme is provided. According to the present invention, an open unit is provided to not an issuer but an opener, and a data required for operating the open unit does not include a key pair of the issuer, so that it is possible to accurately operate the open unit even if the issuer generates the public key in an illegal manner. In addition, it is possible to prove that a key pair of a member cannot be counterfeited. It is possible to implement from a discrete logarithm assumption a feature that a cipher text, that is, a portion of a signature text can be decrypted only by the opener in a method which is the same as a method representing that an ElGamal crypto scheme is safe. In addition, it is possible to implement from a random oracle assumption a feature that a knowledge signature has an extractability in a method which is the same as a method proving that a Schnorr signature is safe.

Abstract: An efficient pseudo-random function and an efficient limited number of times authentication system using such a function are realized. A pseudo-random function calculating device comprises a key creating means and a pseudo-random function calculating means. The key creating means creates a public key made of a set of at least a first component and a second component as components constituting an element of a finite group and a secret key made of an integer and secretly saves the created secret key in a secret key memory section but makes the public key public. The pseudo-random function calculating means outputs the element of a finite group as function value of the pseudo-random function upon receiving an integer as input.

Abstract: In a group signature system of the present invention, user device 400 registered in the group, when receiving an issuing device public key of a set that includes order N of a cyclic group and its elements a—0, a—1 and a—2, determines such primes e and e? that e? is a prime that is obtained by subtracting a fixed number smaller than the prime e from the prime e, generates a user device secret key of a set including such numbers x and r that the product between a—0 and the result obtained by performing modular exponentiation of a—1 by number x, multiplied by the result obtained by performing modular exponentiation of a—2 by number r is equal to the result obtained by performing element A of the first cyclic group raised to the e-th power, based on order N as a modulus, and a user device public key of a set including prime e, prime e? and element A, transmits prime e? to revocation manager 300, receives B calculated based on prime e? from revocation manager 300 to obtain a message, generates a signature statemen

Abstract: Provided is a zero-knowledge proof system that allows a discrete-logarithm zero-knowledge proof. The zero-knowledge proof device includes a temporary memory unit that stores pseudorandom numbers and previously determined hash values, a first processing unit that calculates multiple pseudorandom numbers and performs multiple iterations of processing to calculate hash values based on the calculated pseudorandom numbers and the information stored in the temporary memory unit, a second processing unit that determines some of the multiple pseudorandom numbers based on the hash values, and a third processing unit that re-calculates some of the pseudorandom numbers and sends the hash values obtained to a zero-knowledge verification device.

Abstract: Provided are a signature apparatus, a verifying apparatus, a proving apparatus, an encrypting apparatus, and a decrypting apparatus capable of efficiently reducing a signature text counterfeit problem to a discrete logarithm problem. The commitment is a hash value of a set of a value to be committed. Data including a pair of elements of a cyclic group associated with a discrete logarithm problem is used as a public key, and a discrete logarithm of an order of the pair is used as a secret key. Accordingly, it is possible to summarize secret information of an attacker from the commitment without rewinding the attacker and to ensure a higher safety than that of a Schnorr signature scheme. In addition, one-time power residue calculation is performed in each of the signature and verification calculations, so that it is possible to lower an amount of calculation in the signature and verification calculations.

Abstract: There is provided in accordance with the present invention a key issuing method for being performed by a user apparatus in a group signature system including the user apparatus and an issuer apparatus connected to the user apparatus through a network.

Abstract: In an input process, a circuit and an input bit to the circuit are inputted to a plurality of computers. Firstly, one computer performs calculation and transmits the calculation result to another computer of the computers. Next, the another computer which has received the calculation result performs the next calculation. Thus, calculation is performed by one computer after another. When all the computers have performed calculation once, the last computer which has performed calculation transmits the calculation result to the first computer which has performed calculation. After this, calculation is performed by one computer after another and the calculation result is transmitted to the next computer, thereby repeating the calculation of each cycle. Thus, it is possible to realize calculation of a value of a given function by using a device including a plurality of computers, with a simpler configuration.

Abstract: An information and communication system or the like which handles an attribute, at the same time enables the attribute not being made a public information, is efficient, and does not require a database should be provided. Pseudonym and validation tag generation means output validation tag including a commitment of a secret key of a user apparatus and a pseudonym, credential generation means outputs a signed document corresponding to a validation tag and a pseudonym as a credential, a user apparatus transmits a signed document to a verifier apparatus, a user apparatus proves to a verifier apparatus that a validation tag is a commitment of a secret key, a verifier apparatus verifies a signed document, and a verifier apparatus verifies the proof that a validation tag is a commitment of a secret key.

Abstract: The proof verification system of the present invention is composed of a proving device (100) and a verifying device (200). The proving device (100) holds m items of n items of secret data, and finds a plurality of Commit values from a portion of the plurality of elements of a cyclic group to transmit to the verifying device. Upon receiving a Challenge value c from the verifying device, the proving device generates remaining elements of a plurality of elements of the cyclic group, calculates a plurality of response values from the result, and transmits the plurality of elements of the cyclic group and the plurality of response values.

Abstract: In a group signature system of the present invention, user device 400 registered in the group, when receiving an issuing device public key of a set that includes order N of a cyclic group and its elements a—0, a—1 and a—2, determines such primes e and e? that e? is a prime that is obtained by subtracting a fixed number smaller than the prime e from the prime e, generates a user device secret key of a set including such numbers x and r that the product between a—0 and the result obtained by performing modular exponentiation of a—1 by number x, multiplied by the result obtained by performing modular exponentiation of a—2 by number r is equal to the result obtained by performing element A of the first cyclic group raised to the e-th power, based on order N as a modulus, and a user device public key of a set including prime e, prime e? and element A, transmits prime e? to revocation manager 300, receives B calculated based on prime e? from revocation manager 300 to obtain a message, generates a signature statemen

Abstract: A key creating device creates a first public key and a first secret key of the electronic signature method satisfying the noncounterfeitability and a second public key and the first secret key of the chameleon commitment method. The signature device generates a commitment, a first random number according to the Com algorithm, and a first signature by using the first secret key. The signature device further generates a second random number according to the Cam algorithm by using the message written by adding a first signature to an object message, and creates an electronic signature by combining the first signature and the second random number. A verifying device receives the signed message written by adding the first signature included in the electronic signature to the object message, creates a commitment according to the ComVer algorithm, and performs verification by using the commitment and the first signature.

Abstract: An RSA signature method is provided in which the length of a signature does not depend on the number of signature devices when multiple signature devices are related to the creation of the signature. A signature device i_{m} includes first conversion means SS1B105 that performs no operation if a received signed text u_{i_{m?1}} exceeds a modulus n_{i_{m}} and, if not, adds an RSA-method-based signature; bijective conversion means S1B106 that multiplies the result by a function that maps the result to a value larger by the modulus n_{i_{m}}; second conversion means S1B107 that performs no operation if the operation result exceeds the modulus n_{i_{m}} and, if not, adds an RSA-method-based signature; and output means S1B109 that outputs the operation result as the signed text u_{i_{m}}.

Abstract: An efficient pseudo-random function and an efficient limited number of times authentication system using such a function are realized. A pseudo-random function calculating device comprises a key creating means and a pseudo-random function calculating means. The key creating means creates a public key made of a set of at least a first component and a second component as components constituting an element of a finite group and a secret key made of an integer and secretly saves the created secret key in a secret key memory section but makes the public key public. The pseudo-random function calculating means outputs the element of a finite group as function value of the pseudo-random function upon receiving an integer as input.

Abstract: A time apparatus subjects a plurality of IDs to extract algorism. Each of the plurality of IDs is configured from a bit sequence, and the bit sequence is formed by expressing a current time instant as a bit sequence and concatenating a few bits from the first of the bit sequence. The time apparatus produces a plurality of decryption keys obtained as a result of subjecting the plurality of specified IDs to the extract algorism. An encryption apparatus specifies a plurality of IDs. Each of the plurality of IDs is configured from a bit sequence, the bit sequence being formed by expressing the designated time instant as a bit sequence and concatenating a few bits from the first of the bit sequence. The encryption apparatus reads the encryption key and the plurality of IDs supplied from the time apparatus to encrypt same plaintext. The encryption apparatus produces plural pieces of ciphertext.