JP6398483B2 - Electronic signature apparatus, electronic signature system, electronic signature method and program - Google Patents

Description

  The present invention relates to an electronic signature device, an electronic signature system, an electronic signature method, and a program.

  In recent years, electronic signatures are used for prevention of forgery and falsification of electronic documents and for personal authentication. In this electronic signature, a pair of a private key and a public key is generated in advance, and the private key is stored so that only the signer can use it. For example, the secret key is stored by the signer itself in an IC (Integrated Circuit) card or the like so as to be secret from others (see, for example, Patent Document 1).

As a result, the signer generates a signature with the stored private key for the electronic document submitted by the signer. In the verification, it is determined whether or not the pair of the signature and the electronic document corresponding to the signature is a correct combination using the public key.
In addition, there is biometric authentication that performs personal authentication using the biometric information of the user as authentication information. The biometric authentication is more convenient for the user because it is not lost or forgotten compared to the authentication using an IC card and a password.

JP 2003-203207 A

However, a user who generates an electronic signature needs to input a password and a personal identification number in order to securely hold and use the private key. For this reason, the configuration using the secret key stored in the IC card is less convenient for the user.
On the other hand, when biometric information is used for personal authentication, information such as a password and a personal identification number is stored and is not input when used, which is highly convenient.
However, as the biometric information, a feature amount as a human individual, for example, a feature amount peculiar to each individual such as a fingerprint or a vein is used. For this reason, if biometric information leaks, there is a risk of forgery, but biometric information as a new feature cannot be obtained, and thus safety cannot be recovered in a lifetime.

  The present invention has been made in view of such circumstances, and it is not necessary to store a password or a personal identification number, and an electronic signature device having redundancy for generating new authentication information even if the authentication information is leaked It is an object to provide an electronic signature system, an electronic signature method, and a program.

  The present invention has been made to solve the above-described problems, and the electronic signature device of the present invention uses a first response data obtained by calculating challenge data using a physical copy impossible function (PUF) to generate a PUF certificate. And a signature registration unit that generates a PUF signature from the second response data obtained by calculating the challenge data with a physical duplication impossible function, wherein the certificate registration unit includes: A first PUF key pair generating unit that generates a private key / public key pair, and a PUF certificate generating unit that generates a PUF certificate using information in which the first response data is embedded in the private key. The signature generation unit includes a second PUF key pair generation unit that generates a pair of a primary secret key and a primary public key, and information in which the second response data is embedded in the secret key. Characterized in that it comprises a PUF signature generation unit which generates a PUF signature used.

  In the electronic signature device according to the present invention, the certificate registration unit selects one of a plurality of different challenge data according to a preset rule, and transmits the selected challenge data to a PUF device having a PUF logic circuit of the physical copy disable function. Then, the first response data is obtained, and the signature generation unit selects the same challenge data as the certificate registration unit according to the rule from a plurality of different challenge data, and the PUF of the physical copy impossible function The second response data is obtained by transmitting to a PUF device having a logic circuit.

  In the electronic signature device of the present invention, the certificate registration unit transmits a plurality of different challenge data to a PUF device having a PUF logic circuit of the physical copy impossible function, and obtains a plurality of the first response data, A new first response data is generated by a predetermined calculation using a plurality of the first response data, the PUF certificate is generated by the new first response data, and the signature generation unit is configured to register the certificate. A plurality of different challenge data that is the same as the copy unit is transmitted to the PUF device having the PUF logic circuit of the physical copy disable function, a plurality of the second response data is obtained, and a plurality of the second response data is used to obtain a certificate New second response data is generated by the same predetermined calculation as that of the registration unit, and the PU is generated by the new second response data. And generating a signature.

  In the electronic signature device of the present invention, the certificate registration unit transmits the one-time challenge data generated each time to a PUF device having a PUF logic circuit of the physical copy disable function, and the first response data The signature generation unit transmits the same one-time challenge data as the certificate registration unit to a PUF device having a PUF logic circuit of the physical copy impossible function, and obtains the second response data. It is characterized by that.

The electronic signature system of the present invention calculates a challenge data to be inputted by a function that cannot be physically copied, outputs a response data as a PUF device, and inputs the challenge data to the PUF device. A certificate registration device that generates a PUF certificate by using the first response data as the response data supplied, and the challenge data that is the same as the certificate registration device is input to the PUF device, and the PUF device a signature generation apparatus for generating a PUF signed by second response data as the response data supplied, the signature verification device and Bei give a verifying the PUF signed by the PUF certificate, said certificate registration device, secret A first PUF key pair generation unit for generating a key and public key pair; A PUF certificate creating unit that creates a PUF certificate using information embedded in the first response data in the secret key, and the signature generation device generates a pair of a primary secret key and a primary public key a first 2PUF key pair generating unit, the second response data, characterized that you and a PUF signature generation unit which generates a PUF signature using the embedded information on the secret key.

Electronic signature system of the present invention, prior Symbol signature verification device, and the PUF proof embedded the first response data to the secret key in bill information, the second response data in the PUF signing the primary private key By determining whether or not the PUF certificate and the PUF signature are generated based on the response data obtained by the physical copy impossible function by the same PUF device using the embedded information The PUF signature is verified.

  In the electronic signature system of the present invention, the certificate registration apparatus selects one of a plurality of different challenge data according to a preset rule, and the PUF device having the PUF logic circuit of the physical copy disable function Transmitting the first response data, and the signature generation device selects the same challenge data as the certificate registration device according to the rule from a plurality of different challenge data, and the physical copy impossible function The second response data is obtained by transmitting to a PUF device having a PUF logic circuit.

  In the electronic signature system of the present invention, the certificate enrollment device transmits a plurality of different challenge data to a PUF device having a PUF logic circuit of the physical duplication impossible function, and obtains a plurality of the first response data, A new first response data is generated by a predetermined calculation using a plurality of the first response data, the PUF certificate is generated by the new first response data, and the signature generation device is configured to register the certificate. A plurality of different challenge data that is the same as the apparatus is transmitted to the PUF device having the PUF logic circuit of the physical non-replicatable function, a plurality of second response data is obtained, and a plurality of the second response data is used. New second response data is generated by the same predetermined calculation as the certificate registration unit, and the new second response data is generated. And generating the PUF signed by.

  In the electronic signature system of the present invention, the certificate registration apparatus transmits the one-time challenge data generated each time to a PUF device having a PUF logic circuit of the physical copy disable function, and the first response data The signature generation device transmits the same one-time challenge data as the certificate registration device to the PUF device having the PUF logic circuit of the physical copy disable function, and obtains the second response data. It is characterized by that.

  The electronic signature system according to the present invention includes a certificate registration unit that generates a PUF certificate based on first response data obtained by calculating challenge data using a physical copy impossible function (PUF), and the challenge data cannot be physically copied. A signature method in a signature device including a signature generation unit that generates a PUF signature based on second response data obtained by calculating with a function, wherein the certificate registration unit generates a first key and a public key pair A key pair generation process, a PUF certificate generation process in which the certificate registration unit generates a PUF certificate using information in which the first response data is embedded in the secret key, and the signature generation unit A second PUF key pair generation process for generating a pair of a private key and a primary public key, and the certificate registration unit embeds the second response data in the private key It characterized in that it comprises a PUF signature generating process of generating the PUF signature using the I information.

The electronic signature system of the present invention includes a process in which a PUF device calculates challenge data to be input by a function that cannot be physically copied and outputs it as response data, and a certificate registration apparatus sends the challenge data to the PUF device. The process of generating data and generating a PUF certificate from the first response data as the response data supplied from the PUF device, and the signature generation device is the same as the certificate registration device for the PUF device A step of inputting the challenge data and generating a PUF signature from the second response data as the response data supplied from the PUF device; and a step of verifying the signature verification apparatus using the PUF certificate. , the certificate registration device, generate a pair of private key and public key A first PUF key pair generation process, and a PUF certificate generation process for generating a PUF certificate using information embedded in the first response data in the secret key, wherein the signature generation apparatus includes a primary secret key And a second PUF key pair generation process for generating a primary public key pair, and a PUF signature generation process for generating a PUF signature using information in which the second response data is embedded in the secret key. It is characterized by doing.

  The program of the present invention includes a certificate registration unit that generates a PUF certificate based on first response data obtained by calculating challenge data using a physical non-copyable function (PUF), and challenge data using a physical non-copyable function. A program that causes a computer to execute an operation of a signature device including a signature generation unit that generates a PUF signature from the second response data obtained by the calculation, and generates a pair of a private key and a public key, A certificate registration means for creating a PUF certificate using information embedded in the first response data in the private key, a primary private key and a primary public key pair are generated, and the second response data is used as the private key. This is a program for functioning as signature generation means for generating a PUF signature using information embedded in.

  According to the present invention, there is no need to store a password or a personal identification number, and even if authentication information is leaked, an electronic signature system, an electronic signature method, an electronic signature generation device having redundancy for generating new authentication information, It is possible to provide an electronic signature generation method, a certificate registration device, a certificate registration method, and a program.

It is a schematic block diagram which shows the structural example of the electronic signature system by the 1st Embodiment of this invention. It is a figure which shows the structural example of the PUF certificate table memorize | stored in the repository database. It is a sequence diagram which shows the operation example of the PUF certificate registration process by the certificate registration apparatus 12 in 1st Embodiment. It is a sequence diagram which shows the operation example of the signature production | generation process by the signature production | generation apparatus 11 in 1st Embodiment. It is a sequence diagram which shows the operation example of the signature verification process by the signature verification apparatus 11 in 1st Embodiment. It is a figure which shows the structural example of the challenge data table in 2nd Embodiment. It is a figure which shows the structural example of the certificate table in the repository database 142 in 2nd Embodiment. It is a sequence diagram which shows the operation example of the PUF certificate registration process by the certificate registration apparatus 12 in 2nd Embodiment. It is a sequence diagram which shows the operation example of the signature production | generation process by the signature production | generation apparatus 11 in 2nd Embodiment. It is a schematic block diagram which shows the structural example of the electronic signature system by the 3rd Embodiment of this invention. It is a sequence diagram which shows the operation example of the PUF certificate registration process by certificate registration apparatus 12 'in 3rd Embodiment. It is a sequence diagram which shows the operation example of the signature production | generation process by the signature production | generation apparatus 11 'in 3rd Embodiment. It is a schematic block diagram which shows the structural example of the electronic signature system by the 4th Embodiment of this invention. It is a sequence diagram which shows the operation example of the PUF certificate registration process by the certificate registration part 182 in the signature apparatus 18 of 4th Embodiment.

<First Embodiment>
Hereinafter, a first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a schematic block diagram showing a configuration example of an electronic signature system according to the first embodiment of the present invention. In FIG. 1, an electronic signature system 1 includes a signature generation device 11, a certificate registration device 12, a signature verification device 13, a certificate management device 14, a PUF (Physical Unclonable Function) device 15, and a reading device. 16 and a reading device 17. Each of the signature generation device 11, the certificate registration device 12, the signature verification device 13, and the certificate management device 14 is connected to an information communication line 100 such as the Internet.

  Each of the signature generation device 11, the certificate registration device 12, the signature verification device 13, and the certificate management device 14 transmits and receives various data via the information communication line 100. Each of the reading device 16 and the reading device 17 is connected to a signature generation device 11 and a certificate registration device 12. The PUF device 15 transmits / receives various data to / from the signature generation device 11 and the illumination card registration device 12 via the reading device 16 and the reading device 17, respectively.

  The certificate registration device 12 is a device that creates an electronic certificate (a PUF certificate described later) and registers it in the certificate management device 14. The certificate registration device 12 includes a challenge data management unit 121, a challenge data transmission unit 122, a response data reception unit 123, an ID (Identification) input unit 124, a PUF key pair generation unit 125, and a PUF certificate creation unit 126. ing. Here, the PUF refers to a function (physical non-duplicatable function) that outputs a value unique to a device using physical features that are difficult to duplicate, such as errors between individuals in the manufacture of semiconductor electronic circuits.

  In the present embodiment, this PUF (physical non-replicatable function) is obtained by, for example, using a signal delay due to a delay based on a manufacturing variation in a semiconductor circuit, and a logical operation in the logic circuit is caused by an individual difference of the semiconductor device. A calculation result of each device uses a PUF technology different from that of other semiconductor devices. Therefore, when the same challenge data is transmitted to the PUF device 15 that is a semiconductor device, the response data that is the result of the logical operation in the PUF circuit 151 is output as a different numerical value depending on the individual difference of each PUF device 15. .

In the challenge data management unit 121, challenge data is written and managed in advance in an internal storage unit. The challenge data is predetermined information set in advance.
The challenge data transmission unit 122 reads the challenge data X from the challenge data management unit 121 and transmits the read challenge data X to the PUF device 15.
The response data receiving unit 123 receives response data Y (first response data) output by the PUF device 15 in response to the challenge data X, and outputs the response data Y to the PUF key pair generation unit 125.
The ID input unit 124 inputs the user's own ID supplied from the user by an input means (not shown) (for example, a keyboard).

The PUF key pair generation unit 125 randomly generates each of the secret key KSe and the public key KPe as a pair using a predetermined electronic signature algorithm.
Also, the PUF key pair generation unit 125 embeds response data Y in the secret key Se using a predetermined embedding function Func, and generates a registration commitment Ce = Func (Y, KSe). Here, the embedding function Func uses a function that makes it difficult to estimate each of the secret key Se and the response data Y from the registration commitment Ce. Also, a set (KPe, Ce) of the public key KPe and the registration commitment Ce is a PUF public key, and the secret key KSe is a PUF secret key.

  The PUF certificate creation unit 126 generates an electronic signature S using the user ID, the PUF public key (KPe, Ce), and the PUF private key KSe. In addition, the PUF certificate creation unit 126 generates a set T (ID, KPe, Ce, S) of an ID, a PUF public key, a registration commitment Ce (KPe, Ce), and an electronic signature S as a PUF certificate. Issue as T. The PUF certificate creation unit 126 registers the generated PUF certificate T (ID, KPe, Ce, S) in the certificate management apparatus 14. Here, as a digital signature algorithm for generating the digital signature S, a general digital signature such as RSA encryption or Schnorr signature is used.

  The signature generation apparatus 11 is an apparatus that creates an electronic signature for proving that it is true information added to data (message). The signature generation device 11 includes a message input unit 111, an ID input unit 112, a challenge data management unit 113, a challenge data transmission unit 114, a response data reception unit 115, a PUF key pair generation unit 116, a PUF signature generation unit 117, and a PUF signature output. Each part 118 is provided.

The message input unit 111 inputs message data supplied by an input unit (not shown).
The ID input unit 112 inputs the user's own ID supplied by the input means from the user.
In the challenge data management unit 113, challenge data is written and managed in advance in an internal storage unit. The challenge data is predetermined information set in advance.
The challenge data transmission unit 114 reads the challenge data X from the challenge data management unit 113 and transmits the read challenge data X to the PUF device 15.
The response data receiving unit 115 receives the response data Y ′ (second response data) output by the PUF device 15 corresponding to the challenge data X, and outputs the response data Y ′ (second response data) to the PUF key pair generating unit 116.

  The PUF key pair generation unit 116 randomly generates a private key / public key pair using the same electronic signature algorithm as the PUF key pair generation unit 125. Here, the secret key is a primary secret key KSs, and the public key is a primary public key KPs.

The PUF signature generation unit 117 embeds response data Y ′ in the primary secret key KSs using the same embedding function Func as the PUF key pair generation unit 125, and generates a signature commitment Cs = Func (Y ′, KSs). To do.
Also, the PUF signature generation unit 117 generates an electronic signature γ ′ for the message data by using the same electronic signature algorithm as the primary public key KPs and the PUF key pair generation unit 125.
The PUF signature generation unit 117 generates a set γ (ID, KPs, Cs, γ ′) of the user ID, the primary PUF public key KPs, the signature commitment Cs, and the electronic signature γ ′ as the PUF electronic signature γ. To do.

  The PUF signature output unit 118 adds the generated PUF electronic signature to the message data and outputs it as a message with a PUF signature.

  The signature verification device 13 is a device that verifies the authenticity of a PUF electronic signature in a message with a PUF signature. The signature verification apparatus 13 includes a message input unit 131 with a PUF signature, a PUF certificate acquisition unit 132, a PUF certificate verification unit 133, a PUF signature verification unit 134, and a verification result output unit 135.

When a message with a PUF signature is supplied from the signature generation device 11, the message input unit 131 with a PUF signature outputs the message to the PUF certificate acquisition unit 132.
The PUF certificate acquisition unit 132 extracts the ID from the PUF electronic signature γ (ID, KPs, Cs, γ ′) in the message with the PUF signature. Further, the PUF certificate acquisition unit 132 acquires the PUF certificate T (ID, KPe, Ce, S) from the certificate management apparatus 14 using the extracted ID.

  The PUF certificate verification unit 133 includes the electronic signature S included in the registration commitment Ce included in the PUF certificate T (ID, KPe, Ce, S) and the PUF certificate T (ID, KPe, Ce, S). The authenticity of the PUF certificate T (ID, KPe, Ce, S) is verified with the PUF public key (Y, KPe) included in the registration commitment Ce included in.

The PUF signature verification unit 134 converts the authenticity of the electronic signature γ ′ included in the PUF electronic signature γ (ID, KPs, Cs, γ ′) added to the message data into the PUF electronic signature γ (ID, KPs, Cs, γ). Verification is performed using the primary public key KPs included in ').
Also, the PUF signature verification unit 134 uses the registration commitment Ce included in the PUF certificate T (ID, KPe, Ce, S) and the signature included in the PUF electronic signature γ (ID, KPs, Cs, γ ′). For the commitment Cs, a predetermined function Fdiff_1 is used to calculate a differential secret key KSdiff = Fdiff_1 (Cs, Ce).

  For example, if the response data Y and the response data Y ′ are sufficiently close to each other, that is, if the response data Y ′ is close to the predetermined function Fdiff_1, the difference secret key KSdiff is the difference between the secret key KSe and the primary secret key KSs (KSe− KSs).

The PUF signature verification unit 134 includes the public key KPe included in the PUF certificate T (ID, KPe, Ce, S) and the primary public key KPs included in the PUF electronic signature γ (ID, KPs, Cs, γ ′). On the other hand, using a predetermined function Fdiff_2, a differential public key KPdiff = Fdiff_2 (KPe, KPs) is calculated.
The predetermined function Fdiff_2 described above is such that the differential public key KPdiff becomes a corresponding public key when KSe-KSs corresponding to the difference between the secret key KSe and the primary secret key KSs is regarded as a new secret key. It is configured.

The PUF signature verification unit 134 verifies whether or not the differential private key KSdiff and the differential public key KPdiff are a corresponding key pair by the electronic signature algorithm used in each of the signature generation device 11 and the certificate registration device 12. I do.
As described above, the PUF signature verification unit 134 determines whether or not the PUF signature and the PUF signature are generated based on the response data obtained by the physical duplication impossible function by the same PUF device 15. Is being verified.

The certificate management device 14 is a device in which the PUF certificate T (ID, KPe, Ce, S) generated by the certificate registration device 12 is registered.
The certificate management apparatus 14 includes a DB control unit 141 and a repository database 142.
The repository database 142 stores a PUF certificate table in which user IDs and PUF certificates are associated with each other.
The DB control unit 141 writes and calls a set of the user ID and the PUF certificate with respect to the PUF certificate table of the repository database 142.

FIG. 2 is a diagram illustrating a configuration example of the PUF certificate table stored in the repository database 142.
As shown in FIG. 2, the user ID and the PUF certificate are stored in the PUF certificate table in association with each other.

Returning to FIG. 1, the PUF device 15 performs an operation based on the PUF technology using physical individual differences on the supplied challenge data, and generates response data.
The PUF device 15 includes a PUF circuit 151 and a data control unit 152.
The PUF circuit 151 has a circuit configuration in which a different logical operation is performed in each PUF device 15 due to physical individual differences. For this reason, each of the PUF circuits 151 generates and outputs response data different from other PUF devices due to individual differences even if the same challenge data as other different PUF circuits 151 is supplied. The PUF circuit 151 may have any configuration as long as individual differences are caused by the PUF technique.
The data control unit 152 supplies challenge data to the PUF circuit 151 and reads response data.

The reading device 16 is a card reader or the like, is connected to the signature generation device 11, and transmits / receives data between the signature generation device 11 and the PUF device 15.
The reading device 17 is a card reader or the like, is connected to the certificate registration device 12, and transmits / receives data between the certificate registration device 12 and the PUF device 15.

FIG. 3 is a sequence diagram illustrating an operation example of PUF certificate registration processing by the certificate registration apparatus 12 according to the first embodiment.
Challenge data transmission unit 122 reads challenge data X from challenge data management unit 121 and acquires challenge data X (sequence S111).
The challenge data transmission unit 122 transmits the acquired challenge data X to the reading device 17 (sequence S112).
Then, the reading device 17 transmits the supplied challenge data X to the PUF device 15 (sequence S113).

The data control unit 152 outputs the supplied challenge data to the PUF circuit 151. Then, the PUF circuit 151 performs a specific calculation on the input challenge data X, and outputs the calculation result as response data Y to the data control unit 152 (sequence S114).
The data control unit 152 transmits the response data Y supplied from the PUF circuit 151 to the certificate registration device 12 via the reading device 17 (sequence S115).

The response data reception unit 123 receives the response data Y supplied from the PUF device 15 and outputs the received response data Y to the PUF key pair generation unit 125 (sequence S116).
ID input unit 124 temporarily stores an ID input by the user from the input means (sequence S117).

The PUF key pair generation unit 125 randomly generates each of the secret key KSe and the public key SPe as a pair by a predetermined electronic signature algorithm (sequence S118).
Then, the PUF key pair generation unit 125 embeds response data Y with respect to the secret key KSe using the embedding function Func, and generates a registration Ce for registration. The PUF key pair generation unit 125 generates a PUF public key (KPe, Ce) from the registration commitment Ce and the public key KPe (sequence S119).

The PUF certificate creation unit 126 reads the ID from the ID input unit 124. The PUF certificate creation unit 126 generates an electronic signature S from the ID, the PUF public key (KPe, Ce), and the PUF private key KSe, and then generates a PUF certificate T (ID, KPe, Ce, S) ( Sequence S120).
Then, the PUF certificate creation unit 126 transmits the generated PUF certificate T (ID, KPe, Ce, S) to the certificate management apparatus 14 for registration processing (sequence S121).

  The DB control unit 141 extracts an ID from the PUF certificate T (ID, KPe, Ce, S) supplied from the certificate registration apparatus 12. Then, the DB control unit 141 performs registration processing by writing and storing the extracted ID and the PUF certificate T (ID, KPe, Ce, S) in the PUF certificate table of the repository database 142 as a set. (Sequence S122).

FIG. 4 is a sequence diagram illustrating an operation example of signature generation processing by the signature generation apparatus 11 according to the first embodiment.
The message input unit 111 acquires the message data input from the input means by the user and temporarily stores it inside (sequence S211).
The ID input unit 112 acquires ID (user ID) message data input by the user from the input means, and temporarily stores it inside (sequence S212).
Challenge data transmission unit 114 reads challenge data X from challenge data management unit 113 and acquires challenge data X (sequence S213).

The challenge data transmission unit 114 transmits the acquired challenge data X to the reading device 16 (sequence S214).
Then, the reader 16 transmits the supplied challenge data X to the PUF device 15 (sequence S215).
The data control unit 152 outputs the supplied challenge data to the PUF circuit 151. Then, the PUF circuit 151 performs a specific calculation on the input challenge data X, and outputs the calculation result as response data Y ′ to the data control unit 152 (sequence S216).

The data control unit 152 transmits the response data Y ′ supplied from the PUF circuit 151 to the signature generation device 11 via the reading device 16 (sequence S217).
The response data receiving unit 115 receives the response data Y ′ supplied from the PUF device 15 and outputs the received response data Y ′ to the PUF signature generation unit 117 (sequence S218).

The PUF key pair generation unit 116 randomly generates each of the primary secret key KSs and the primary public key KPs as a pair by a predetermined electronic signature algorithm (sequence S219).
Then, the PUF signature generation unit 117 embeds the response data Y ′ in the primary secret key KSs using the embedding function Func, and generates a signature commitment Cs (sequence S220).

The PUF signature generation unit 117 reads an ID from the ID input unit 112. The PUF signature generation unit 117 generates an electronic signature γ ′ from the primary public key KPs and a predetermined electronic signature algorithm, and then uses the ID, the primary public key KPs, the signature commitment Cs, and the electronic signature γ ′ to generate the PUF signature γ. (ID, KPs, Cs, γ ′) is generated (sequence S221).
Then, the PUF signature generation unit 117 adds the generated PUF signature γ (ID, KPs, Cs, γ) to the message data, and outputs the message with a PUF signature (sequence S222).

FIG. 5 is a sequence diagram illustrating an operation example of signature verification processing by the signature verification apparatus 13 according to the first embodiment.
When a message with a PUF signature is supplied from the signature generation device 11, the message input unit 131 with a PUF signature acquires a message with a PUF signature (sequence S <b> 311).
The PUF certificate acquisition unit 132 extracts the ID from the PUF signature γ (ID, KPs, Cs, γ ′) in the message with the PUF signature. Then, the PUF certificate acquisition unit 132 transmits the extracted ID to the certificate management device 14 and instructs the sending of the PUF certificate corresponding to this ID (sequence S312).

  The DB control unit 141 of the certificate management apparatus 14 corresponds to this ID when a request for sending the ID and the PUF certificate T (ID, KPe, Ce, S) is supplied from the PUF certificate acquisition unit 132. The PUF certificate T (ID, KPe, Ce, S) is searched from the PUF certificate table of the repository database 142. Then, the DB control unit 141 transmits the PUF certificate T (ID, KPe, Ce, S) read from the PUF certificate table corresponding to the ID to the signature verification apparatus 13 (sequence S313).

The PUF certificate acquisition unit 132 acquires the PUF certificate T (ID, KPe, Ce, S) supplied from the certificate management apparatus 14 (sequence S314).
Next, the PUF certificate verification unit 133 performs an operation by the electronic signature algorithm using the electronic signature S and the public key KPe included in the PUF certificate T (ID, KPe, Ce, S), and this PUF certificate It is determined whether or not T (ID, KPe, Ce, S) has been tampered with (sequence S315).
Then, the PUF signature verification unit 134 performs an operation using the electronic signature algorithm using the electronic signature γ ′ and the primary public key KPs included in the PUF signature γ (ID, KPs, Cs, γ ′), and PUF signature γ ( It is determined whether or not (ID, KPs, Cs, γ ′) has been tampered (sequence S316).

Next, the PUF signature verification unit 134 uses the registration commitment Cs included in the PUF certificate T (ID, KPe, Ce, S) and the signature included in the PUF signature γ (ID, KPs, Cs, γ ′). A differential secret key KSdiff is calculated by a predetermined function Fdiff_1 using the commitment Cs (sequence S317).
The PUF signature verification unit 134 then includes the public key KPe included in the PUF certificate T (ID, KPe, Ce, S) and the primary public key KPs included in the PUF signature γ (ID, KPs, Cs, γ ′). Are used to calculate a differential public key KPdiff by a predetermined function Fdiff_2 (sequence S318).

  The PUF signature verification unit 134 verifies whether or not the obtained differential secret key KSdiff and differential public key KPdiff are a paired key by using a digital signature algorithm (sequence S319). At this time, the PUF signature verification unit 134 determines that the response data Y and the response data Y ′ are approximated when the differential secret key Sdiff matches the difference between the secret key KPe and the primary secret key KPs. When the PUF signature verification unit 134 verifies that the secret key KSdiff and the differential public key KPdiff are a paired key, the PUF signature γ (ID, KPs, Cs, γ ′) is the PUF certificate. It is determined that it corresponds to T (ID, KPe, Ce, S).

  Then, the verification result output unit 135 outputs information indicating that the PUF signature corresponds to the PUF certificate and indicates the verification success when all the verifications are successful. On the other hand, the verification result output unit 135 displays verification failure information including a cause of failure such as falsification of the PUF certificate and PUF signature or failure of the PUF certificate and PUF signature when the verification fails. Output (sequence S320).

As described above, according to the present embodiment, in addition to the message data to be signed, the user ID, and the response data generated by the PUF technique, the signature generation apparatus 11 stores some user information, that is, a password and a password. There is no need to memorize, and the convenience for the user is improved as compared with the prior art.
In addition, according to the present embodiment, even if challenge data that is the core of authentication information leaks, it is possible to easily generate new authentication information by changing to different challenge data, thus providing redundancy. be able to.

Further, by storing the ID in the PUF device 15, there is no need for the user to input the ID from the input means, and each of the ID input unit 112 and the ID input unit 124 reads from the PUF device 15. can do. As a result, by installing the signature generation device 11 in the sensor device, when the acquired sensor data is output as message data, it is possible to send and receive data between the devices without the need for human-related steps. .
In addition, according to the present embodiment, by mounting the PUF circuit on the IC card, it is possible to easily detect falsification of authentication information and the like, so that it can also be used for settlement of a credit card or the like.

In the present embodiment, the challenge data stored in each of the challenge data management unit 113 and the challenge data management unit 121 is encrypted, and may be configured to be decrypted and used each time it is used.
Further, the challenge data is not stored in the challenge data management unit 113, but the challenge data may be configured so that the certificate registration side and the signature generation side share the challenge data using a secure element such as an IC card. good.

<Second Embodiment>
The second embodiment of the present invention will be described below with reference to the drawings. The second embodiment is the same as the configuration of FIG. 1 of the first embodiment. Only operations different from those of the first embodiment will be described below.
In the second embodiment, each of the challenge data management unit 113 and the challenge data management unit 121 stores a challenge data table in which a plurality of challenge data is stored.

  FIG. 6 is a diagram illustrating a configuration example of a challenge data table in the second embodiment. In FIG. 2, the challenge data table has a configuration in which a table number corresponds to challenge data corresponding to the table number. That is, each of the challenge data management unit 113 and the challenge data management unit 121 stores a challenge data table having a plurality of corresponding combinations of challenge data and table numbers in advance. The challenge data is read from the challenge data table by each of the challenge data transmission unit 114 and the challenge data transmission unit 122 corresponding to the table number.

  Each of the challenge data transmission unit 114 and the challenge data transmission unit 122 is configured to use the same data by synchronizing which table number to use. In other words, each of the challenge data transmission unit 114 and the challenge data transmission unit 122 is synchronized with the same table number so that the challenge data used on the day is the same according to a predetermined rule such as the date and time or the description order of the table. It is the composition taken. The predetermined rule is written and set in advance in each of the challenge data transmission unit 114 and the challenge data transmission unit 122.

FIG. 7 is a diagram illustrating a configuration example of a certificate table in the repository database 142 according to the second embodiment.
In the certificate table, each of an ID, a table number TN (simply a table number in FIG. 7), and a PUF certificate is associated. Since the PUF certificate is different if the table number is the same even for the same ID, the PUF certificate is searched from the certificate table by the combination of the ID and the table number TN.

FIG. 8 is a sequence diagram illustrating an operation example of PUF certificate registration processing by the certificate registration apparatus 12 according to the second embodiment.
The challenge data transmission unit 122 acquires a table number for selecting challenge data according to a predetermined rule (sequence S131).
Then, the challenge data transmission unit 122 reads the challenge data X corresponding to the table number from the challenge data table of the challenge data management unit 121, and acquires the read challenge data X (sequence S132).
Hereinafter, since each of sequence S133 to sequence S140 is the same as each of sequence S112 to sequence S119 of FIG. 3, description thereof will be omitted.

The PUF certificate creation unit 126 reads the ID from the ID input unit 124. The PUF certificate creation unit 126 generates an electronic signature S using an ID, a PUF public key (KPe, Ce), and a PUF private key KSe, and then generates a PUF certificate T (TN, ID, KPe, Ce, S). (Sequence S141). In the present embodiment, the PUF certificate T includes a table number TN.
Then, the PUF certificate creation unit 126 transmits the generated PUF certificate T (TN, ID, KPe, Ce, S) to the certificate management apparatus 14 for registration processing (sequence S142).

  The DB control unit 141 extracts an ID from the PUF certificate T (TN, ID, KPe, Ce, S) supplied from the certificate registration apparatus 12. Then, the DB control unit 141 performs registration processing by writing and storing the extracted ID and the PUF certificate T (TN, ID, KPe, Ce, S) as a set to the PUF certificate table of the repository database 142. Is performed (sequence S143).

  The DB control unit 141 extracts the table number TN from the PUF certificate T (TN, ID, KPe, Ce, S) supplied from the certificate registration apparatus 12. Then, the DB control unit 141 writes the table number TN to the PUF certificate table of the repository database 142 so as to be paired with the already written ID and PUF certificate T (TN, ID, KPe, Ce, S). In step S144, the registration process ends.

FIG. 9 is a sequence diagram illustrating an operation example of signature generation processing by the signature generation apparatus 11 according to the second embodiment.
Message input unit 111 acquires message data input by the user from the input means, and temporarily stores it inside (sequence S231).
The ID input unit 112 acquires the message data input from the input means by the user and temporarily stores it inside (sequence S232).
The challenge data transmission unit 114 acquires a table number for selecting challenge data (sequence S233).

The challenge data transmission unit 114 reads the challenge data X corresponding to the acquired table number from the challenge data table of the challenge data management unit 113, and acquires the challenge data X (sequence S234).
Hereinafter, since each of sequence S235 to sequence S241 is the same as each of sequence S214 to sequence S220 in FIG. 4, description thereof will be omitted.

The PUF signature generation unit 117 reads an ID from the ID input unit 112. The PUF signature generation unit 117 generates an electronic signature γ ′ from the primary public key KPs and a predetermined electronic signature algorithm, and then uses the ID, the primary public key KPs, the signature commitment Cs, and the electronic signature γ ′ to generate the PUF signature γ. (TN, ID, KPs, Cs, γ ′) is generated (sequence S242). In the present embodiment, the PUF signature γ includes a table number TN.
Then, the PUF signature generation unit 117 adds the generated PUF signature γ (TN, ID, KPs, Cs, γ) to the message data, and outputs it as a message with a PUF signature (sequence S243).

In the second embodiment, the following processing is performed in each of the sequence S312 and the sequence S313 in FIG.
The PUF certificate acquisition unit 132 extracts each of the ID and the table number TN from the PUF signature γ (TN, ID, KPs, Cs, γ ′) in the message with the PUF signature. Then, the PUF certificate acquisition unit 132 transmits the extracted ID and table number TN to the certificate management apparatus 14, and instructs to send the PUF certificate T corresponding to the combination of this ID and table number TN (sequence). S312).

  When a request for sending an ID and a PUF certificate T (TN, ID, KPe, Ce, S) is supplied from the PUF certificate acquisition unit 132, the DB control unit 141 supplies a PUF certificate T corresponding to this ID. (TN, ID, KPe, Ce, S) is searched from the PUF certificate table of the repository database 142. Then, the DB control unit 141 transmits the PUF certificate T (TN, ID, KPe, Ce, S) read from the PUF certificate table corresponding to the ID to the signature verification apparatus 13 (sequence S313). .

As described above, according to the present embodiment, since challenge data is not only one but is rotated and selected from a plurality of the challenge data, the challenge data is more selected than the first embodiment. It is possible to reduce the possibility of leakage of data, and to ensure redundancy that new challenge data can be issued when challenge data leaks.
The challenge data table may be configured not to be stored in each of the challenge data management unit 113 and the challenge data management unit 121 but to be stored in a secure element such as an IC card.

<Third Embodiment>
The third embodiment of the present invention will be described below with reference to the drawings. FIG. 10 is a schematic block diagram showing a configuration example of an electronic signature system according to the third embodiment of the present invention.
The second embodiment is the same as the configuration of FIG. 1 of the first embodiment. Only operations different from those of the first embodiment will be described below.
In the electronic signature system 1 ′ according to the third embodiment, the same components as those in the first embodiment in FIG. 1 are denoted by the same reference numerals, and the description thereof is omitted. In the signature generation apparatus 11 ′ of the electronic signature system 1 ′ of the third embodiment, a response data calculation unit 119 is added to the signature generation apparatus 11 in the first embodiment of FIG. Further, the certificate registration device 12 ′ of the electronic signature system 1 ′ of the third embodiment has a response data calculation unit 127 added to the certificate registration device 12 of the first embodiment of FIG. Hereinafter, only the configuration and operation of the electronic signature system 1 ′ according to the third embodiment different from those of the first embodiment will be described.

The challenge data management unit 121 stores a plurality of challenge data. The challenge data transmission unit 122 sequentially transmits a plurality of challenge data to the PUF device 15 in time series.
The PUF device 15 performs an operation in which the challenge data supplied from the certificate registration device 12 ′ in time series is sequentially converted into response data by the PUF circuit 151. Then, the PUF device 15 sequentially transmits response data of the calculation result to the certificate registration device 12 ′.
The response data calculation unit 127 performs a logical operation or a calculation using a predetermined function on the plurality of response data transmitted from the PUF device 15, and finally generates one response data to be used. The subsequent processing in the certificate registration device 12 ′ using this response data is the same as that in the first embodiment.

The challenge data management unit 113 stores a plurality of challenge data identical to the challenge data management unit 121. The challenge data transmission unit 114 sequentially transmits a plurality of challenge data to the PUF device 15 in time series.
The PUF device 15 performs an operation in which the challenge data supplied from the signature generation device 11 ′ in time series is sequentially converted into response data by the PUF circuit 151. Then, the PUF device 15 sequentially transmits response data of the calculation result to the signature generation device 11 ′.
The response data calculation unit 119 performs a logical operation or a calculation using a predetermined function on the plurality of response data transmitted from the PUF device 15, and finally generates one response data to be used. The subsequent processing in the signature generation apparatus 11 ′ using this response data is the same as that in the first embodiment.

FIG. 11 is a sequence diagram illustrating an operation example of PUF certificate registration processing by the certificate registration device 12 ′ according to the third embodiment.
The challenge data transmission unit 122 reads and acquires all the challenge data X stored in the challenge data management unit 121 (sequence S151).
The challenge data transmission unit 122 sequentially transmits the acquired plurality of challenge data X to the reading device 17 in time series (sequence S152).
Then, the reading device 17 sequentially transmits the challenge data X supplied in time series to the PUF device 15 (sequence S153).

The data control unit 152 sequentially outputs the challenge data supplied in time series to the PUF circuit 151. Then, the PUF circuit 151 performs a specific calculation on the challenge data X input in time series, and sequentially outputs the calculation result as response data Y to the data control unit 152 (sequence S154).
The data control unit 152 sequentially transmits response data Y supplied in time series from the PUF circuit 151 to the certificate registration device 12 via the reading device 17 (sequence S155).

The response data receiving unit 123 receives the response data Y supplied from the PUF device 15 in time series, and sequentially outputs the received response data Y to the response data calculation unit 127 (sequence S156).
The response data calculation unit 127 performs a predetermined calculation on a plurality of input response data Y to generate one new response data Y, and outputs this response data Y to the PUF key pair generation unit 125 ( Sequence S157).
Since each of the subsequent sequence S117 to sequence S122 is the same as sequence S117 to sequence S122 in the certificate registration process of the first embodiment shown in FIG.

FIG. 12 is a sequence diagram illustrating an operation example of signature generation processing by the signature generation device 11 ′ according to the third embodiment.
Message input unit 111 acquires message data input by the user from the input means, and temporarily stores it inside (sequence S251).
The ID input unit 112 acquires the ID input by the user from the input means, and temporarily stores it inside (sequence S252).
The challenge data transmission unit 114 reads and acquires all the challenge data X stored in the challenge data management unit 121 (sequence S253).

The challenge data transmission unit 114 sequentially transmits the acquired plurality of challenge data X to the reading device 17 in time series (sequence S254).
Then, the reading device 16 sequentially transmits the challenge data X supplied in time series to the PUF device 15 (sequence S255).
The data control unit 152 sequentially outputs the challenge data supplied in time series to the PUF circuit 151. Then, the PUF circuit 151 performs a specific calculation on the challenge data X input in time series, and sequentially outputs the calculation result as response data Y to the data control unit 152 (sequence S256).

The data control unit 152 sequentially transmits the response data Y supplied in time series from the PUF circuit 151 to the certificate registration device 12 via the reading device 17 (sequence S257).
The response data receiving unit 115 receives the response data Y supplied from the PUF device 15 in time series, and sequentially outputs the received response data Y ′ to the response data calculation unit 127 (sequence S258).

The response data calculation unit 119 performs a predetermined calculation on the plurality of input response data Y ′ to obtain one new response data Y ′, and this response data Y ′ is sent to the PUF key pair generation unit 116. Output (sequence S259).
Since each of the subsequent sequence S219 to sequence S222 is the same as the sequence S219 to sequence S222 of the signature generation processing of the first embodiment shown in FIG.

According to the present embodiment, even if any challenge data is leaked, a secret key cannot be generated unless a rule for recalculating other challenge data and response data is known. It becomes more difficult to tamper with the PUF certificate and the PUF signature than in the form.
Therefore, according to the present embodiment, an effect of preventing falsification of the PUF certificate and the PUF signature can be obtained as compared with the first embodiment.

<Fourth Embodiment>
Hereinafter, a fourth embodiment of the present invention will be described with reference to the drawings. FIG. 13 is a schematic block diagram showing a configuration example of an electronic signature system according to the fourth embodiment of the present invention.
The digital signature system 1 ″ differs from the digital signature system 1 according to the first embodiment of FIG. 1 in that the certificate registration device 12 and the signature generation device 11 are one configuration, and the certificate registration device 12 and the signature generation device. 11 is replaced with the signature device 18. In the fourth embodiment, the configuration corresponding to the signature generation device 11 in the first embodiment is a signature generation unit 181, and the configuration corresponding to the certificate registration device 12 in the first embodiment is a certificate registration unit. 182. In the signature generation unit 181 and the certificate registration unit 182, the same reference numerals are given to the corresponding configurations of the signature generation device 11 and the certificate registration device 12 in the first embodiment. Only the configuration and operation different from those of the electronic signature system 1 of FIG. 1 in the first embodiment will be described below.

  The challenge data management unit 121 ′ in the certificate registration unit 182 generates one-time challenge data that is valid only once by the same generation method as that for the one-time password. Here, the generation method uses time and random number seeds, and uses the same methods as the mathematical algorithm one-time password, time-synchronized one-time password, and challenge-type one-time password. In this case, the generation of the PUF certificate and the PUF signature is performed in the challenge data management unit 121 'or at the same time because the same one-time challenge data is used. In other words, the one-time password is not necessarily generated at the same time when it is generated using a factor that is not a time (for example, a random number seed) or when the same time is used even if the time is used as a factor. In this case, when using the same one-time password, the PUF certificate and the PUF signature may be created at different times.

  FIG. 14 is a sequence diagram illustrating an operation example of PUF certificate registration processing by the certificate registration unit 182 in the signature device 18 according to the fourth embodiment. Hereinafter, an operation example of the PTF certificate registration process according to the fourth embodiment will be described with reference to FIG.

The challenge data transmission unit 122 acquires the one-time challenge data X generated by the challenge data management unit 121 ′ from the challenge data management unit 121 ′ (sequence S161).
In subsequent sequence S112 to sequence S122, the challenge data in sequence S112 to sequence S122 of the certificate registration process in the first embodiment is merely replaced with one-time challenge data. It is the same as the sequence diagram.
Further, the signature generation processing by the signature generation unit 181 in the signature device 18 of the fourth embodiment is the same as the challenge data in the sequence S213 in the signature generation processing by the signature generation device 11 of the first embodiment shown in FIG. Except that it is acquired from the certificate registration unit 182 as challenge data, it is the same as the sequence diagram of FIG.

  According to the above-described embodiment, even if the challenge data (one-time challenge data) is leaked, since it is one-time, the influence of the leak can be minimized, compared with the first embodiment. Security can be improved.

  Also, a program for realizing the functions of the signature generation device, certificate registration device, signature verification device, certificate management device, and signature device in FIGS. 1, 10, and 13 is recorded on a computer-readable recording medium. Then, the program recorded on the recording medium may be read into a computer system and executed to execute signature generation, certificate registration, signature verification, and certificate management processing. Here, the “computer system” includes an OS and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system.

  Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. Further, the program may be a program for realizing a part of the functions described above, and is a so-called differential file that can realize the functions described above in combination with a program already recorded in the computer system. May be.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design and the like within a scope not departing from the gist of the present invention.

DESCRIPTION OF SYMBOLS 1,1 ', 1''... Electronic signature system 11, 11' ... Signature generation apparatus 12, 12 '... Certificate registration apparatus 13 ... Signature verification apparatus 14 ... Certificate management apparatus 15 ... PUF device 16, 17 ... Reading apparatus DESCRIPTION OF SYMBOLS 18 ... Signature apparatus 100 ... Information communication line 111 ... Message input part 112, 124 ... ID input part 113, 121, 121 '... Challenge data management part 114, 122 ... Challenge data transmission part 115, 123 ... Response data reception part 116, 125 ... PUF key pair generation unit 117 ... PUF signature generation unit 118 ... PUF signature output unit 119,127 ... response data calculation unit 126 ... PUF certificate registration unit 131 ... PUF signature message input unit 132 ... PUF certificate acquisition unit 133 ... PUF certificate verification unit 134 ... PUF signature verification unit 135 ... Verification result output unit 1 1 ... DB control unit 142 ... repository database 151 ... PUF circuit 152 ... data control unit 181 ... signature generation unit 182 ... certificate registration unit

Claims (12)

A certificate registration unit that generates a PUF certificate from the first response data obtained by computing the challenge data with a physical non-duplicatable function (PUF), and obtained by computing the challenge data with a physical non-duplicatable function An electronic signature device comprising a signature generation unit for generating a PUF signature from the second response data;
The certificate registration unit
A first PUF key pair generation unit that generates a private key and public key pair; and a PUF certificate generation unit that generates a PUF certificate using information embedded in the first response data in the private key,
The signature generation unit
A second PUF key pair generation unit that generates a pair of a primary secret key and a primary public key; and a PUF signature generation unit that generates a PUF signature using information embedded in the second response data in the secret key. An electronic signature device characterized by comprising: The certificate registration unit selects any one of a plurality of different challenge data according to a preset rule, and transmits the selected response data to a PUF device having a PUF logic circuit of the physical copy impossible function, and the first response data Get,
The signature generation unit selects the same challenge data as the certificate registration unit according to the rule from a plurality of different challenge data, and transmits the selected challenge data to a PUF device having a PUF logic circuit of the physical copy disable function, 2. The electronic signature device according to claim 1, wherein second response data is obtained. The certificate registration unit transmits a plurality of different challenge data to a PUF device having a PUF logic circuit of the physical copy disable function, obtains a plurality of the first response data, and obtains a plurality of the first response data. Using the predetermined calculation to generate new first response data, generating the PUF certificate with the new first response data,
The signature generation unit transmits the same plurality of different challenge data as the certificate registration unit to a PUF device having a PUF logic circuit of the physical copy impossible function, and obtains a plurality of the second response data, The second response data is generated by the same predetermined calculation as the certificate registration unit using the second response data, and the PUF signature is generated by the new second response data. The electronic signature device according to 1. The certificate registration unit transmits the one-time challenge data generated each time to a PUF device having a PUF logic circuit of the physical copy disable function, and obtains the first response data,
The signature generation unit transmits the challenge data of the same time as the certificate registration unit to a PUF device having a PUF logic circuit of the physical copy disable function, and obtains the second response data. The electronic signature device according to claim 1. A PUF device that calculates the challenge data that is input using a physical non-duplicatable function and outputs it as response data;
A certificate registration device that inputs the challenge data to the PUF device and generates a PUF certificate from the first response data as the response data supplied from the PUF device;
A signature generation device that inputs the same challenge data as the certificate registration device to the PUF device, and generates a PUF signature from the second response data as the response data supplied from the PUF device;
E Bei and a signature verification device for verifying the PUF signed by the PUF certificate,
The certificate registration device is
A first PUF key pair generation unit that generates a private key and public key pair; and a PUF certificate generation unit that generates a PUF certificate using information embedded in the first response data in the private key,
The signature generation device
A second PUF key pair generation unit that generates a pair of a primary secret key and a primary public key; and a PUF signature generation unit that generates a PUF signature using information in which the second response data is embedded in the secret key.
Electronic signature system, wherein a call. Before Symbol signature verification device,
Using the information in which the first response data in the PUF certificate is embedded in the private key and the information in which the second response data in the PUF signature is embedded in the primary secret key, the PUF certificate and the PUF The verification of the PUF signature is performed by determining whether or not the signature is generated based on response data obtained by the physical copy impossible function by the PUF device having the same signature. 5. The electronic signature system according to 5. The certificate registration device selects any one of a plurality of different challenge data according to a preset rule, transmits the selected challenge data to the PUF device having a PUF logic circuit of the physical duplication impossible function, and the first response data Get
The signature generation apparatus selects the same challenge data as the certificate registration apparatus from a plurality of different challenge data according to the rule, and transmits the challenge data to a PUF device having a PUF logic circuit of the physical copy disable function, The electronic signature system according to claim 5 or 6, wherein the second response data is obtained. The certificate enrollment apparatus transmits a plurality of different challenge data to a PUF device having a PUF logic circuit of the physical copy disable function, obtains a plurality of the first response data, and obtains a plurality of the first response data. Using the predetermined calculation to generate new first response data, generating the PUF certificate with the new first response data,
The signature generation apparatus transmits a plurality of different challenge data that is the same as the certificate registration apparatus to the PUF device having a PUF logic circuit of the physical copy impossible function, and obtains a plurality of the second response data, A new second response data is generated by the same predetermined calculation as that of the certificate registration unit using the plurality of second response data, and the PUF signature is generated by the new second response data. The electronic signature system according to claim 5 or 6. The certificate enrollment device transmits the one-time challenge data generated each time to a PUF device having a PUF logic circuit of the physical copy disable function, and obtains the first response data,
The signature generation apparatus transmits the challenge data of the same one time as the certificate registration apparatus to a PUF device having a PUF logic circuit of the physical copy impossible function to obtain the second response data. The electronic signature system according to claim 5 or 6. A certificate registration unit that generates a PUF certificate from the first response data obtained by computing the challenge data with a physical non-duplicatable function (PUF), and obtained by computing the challenge data with a physical non-duplicatable function A signature method in a signature device including a signature generation unit that generates a PUF signature from second response data,
A first PUF key pair generation process in which the certificate registration unit generates a private key and public key pair;
A PUF certificate creation process in which the certificate registration unit creates a PUF certificate using information in which the first response data is embedded in the private key;
A second PUF key pair generation process in which the signature generation unit generates a pair of a primary secret key and a primary public key;
The electronic signature method, wherein the certificate registration unit includes a PUF signature generation step of generating a PUF signature using information in which the second response data is embedded in the secret key. A process in which the PUF device calculates the input challenge data using a physical duplication impossible function and outputs it as response data;
A process in which a certificate registration apparatus inputs the challenge data to the PUF device, and generates a PUF certificate from the first response data as the response data supplied from the PUF device;
A process in which a signature generation apparatus inputs the same challenge data as the certificate registration apparatus to the PUF device, and generates a PUF signature from the second response data as the response data supplied from the PUF device; ,
A step of verifying the PUF signature with the PUF certificate,
The certificate registration device is
A first PUF key pair generation process for generating a private key and public key pair, and a PUF certificate creation process for creating a PUF certificate using information embedded in the first response data in the private key,
The signature generation device
A second PUF key pair generation process for generating a pair of a primary secret key and a primary public key, and a PUF signature generation process for generating a PUF signature using information embedded in the second response data in the secret key. An electronic signature method characterized by the above. A certificate registration unit that generates a PUF certificate from the first response data obtained by computing the challenge data with a physical non-duplicatable function (PUF), and obtained by computing the challenge data with a physical non-duplicatable function A program that causes a computer to execute an operation of a signature device including a signature generation unit that generates a PUF signature from second response data;
The computer,
A certificate registration unit that generates a pair of a private key and a public key, and creates a PUF certificate using information in which the first response data is embedded in the private key;
A program for generating a pair of a primary secret key and a primary public key, and causing the second response data to function as a signature generation unit that generates a PUF signature using information embedded in the secret key.

Images