JP2008028983A - Anonymous order program and device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To eliminate inconvenience based on non-coupling by eliminating nonconnectivity to utilization in the past as needed. <P>SOLUTION: A buyer device 30 and store device 20 store "order-ID-containing anonymous order information" and "password" in association with each other, respectively, a buyer transmits a request containing the order ID and the password from the buyer device 30 to the store device 20 as needed, and the store device 20 verifies the order ID and the password contained in the request, thereby eliminating nonconnectivity to utilization in the past as needed. Therefore, inconvenience based on nonconnectivity can be eliminated. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a program and apparatus for anonymous ordering using a group signature method, for example, a program for anonymous ordering that can eliminate incompatibility with respect to past use if necessary, and can eliminate inconveniences based on incompatibility And an apparatus.

  In the field of service provision such as online sales, a technique using a group signature method (for example, see Non-Patent Documents 1-3) has been proposed from the viewpoint of realizing personal information protection and privacy protection (for example, patents). Reference 1-3).

  In these proposed technologies, the user's “anonymity” that does not need to reveal who is the user, and “non-associativeness” that cannot determine whether two different authentication requests are from the same user. Personal information protection and privacy protection are realized. In addition, by having “trackability” that allows only specified personal information management organizations other than service providers to identify users, individual settlement for each service in a normal case while maintaining anonymity and privacy for the service provider And the identification of fraudsters when fraud occurs.

  However, “non-binding” is an important property from the viewpoint of personal information protection and privacy protection, but it may cause inconvenience to the service provider. For example, when a user wants to make an inquiry request or a return request for a service or product purchased, there is “unbinding” for the purchased service etc., so the inquiry request is only sent between the user and the service provider. Inconvenience that can not be processed directly with. In addition, even when the same user repeatedly uses the same service provider, the number of times of use is not known because the purchased service or product has “non-binding”. For this reason, there are inconveniences that customers cannot be enclosed by providing benefits such as a point service, and the number of uses cannot be used as market information.

  Specifically, since the service provision method prior to the above-described proposed technology always identifies individuals, it is easy to respond to inquiries / return requests and provide point services, while realizing personal information protection and privacy protection. Has become difficult.

In contrast, the proposed technology described above always maintains incompatibility, so personal information protection and privacy protection can be easily realized at a high level, but it is possible to respond to inquiries / return requests and provide point services. It has become difficult.
D. Chaum, E. van Heyst, “Group Signatures”, EUROCRYPT '91, LNCS 547, Springer-Verlag, pp.257-265, 1991. G. Ateniese, J. Camenisch, M. Joye and G. Tsudik, “A Practical and Provably Secure Coalition-Resistant Group Signature Scheme”, CRYPTO 2000, LNCS 1880, Springer-Verlag, pp.255-270, 2000. Edited by Mitsuko Miyachi and Hiroaki Kikuchi, "Information Security", Ohmsha, ISBN4-274-13284-6, pp.112-114. A. Kiayias, Y. Tsioumis, M. Yung, “Traceable Signatures”, EUROCRYPT 2004, LNCS 3027, Springer-Verlag, pp.571-589, 2004. JP 2004-054905 A JP 2004-320562 A JP 2006-119777 A

  As described above, in the conventional proposed technique, “non-binding” that cannot determine whether two different authentication requests are made by the same user plays a large role in personal information protection and privacy protection. On the other hand, however, there is an incompatibility that makes it difficult to respond to an inquiry request or a return request based on past usage, or a point service provision request based on past usage because it has “non-binding” properties. May occur.

  The present invention has been made in consideration of the above circumstances, and provides an anonymous ordering program and apparatus that can eliminate non-binding properties for past use if necessary, and that can eliminate inconveniences based on non-binding properties. Objective.

  1st invention is communicable with both apparatus of the administrator apparatus which can settle an anonymous order of a purchaser by the group signature system which has a tracking function, and the purchaser apparatus which performs the anonymous order of a sales object by the said group signature system An anonymous ordering program used for a retail store apparatus, in which a computer of the retail store apparatus is received from a purchaser device in the past as "anonymous order information including an order ID and a group signature" and the anonymous order information. A storage means for storing the password issued correspondingly in association with the storage device of the computer of the store apparatus, issuing an order ID based on the sales target specifying information received from the purchaser device of the purchaser, An order ID issuing means for transmitting the order ID to the purchaser device, and when receiving anonymous order information including the order ID and group signature from the purchaser device, A signature verification means for verifying a group signature; when the verification result of the group signature is valid, a password is issued corresponding to the current anonymous order information, and the current anonymous order information and password are stored in the storage device Password issuing means, password sending means for sending the issued password to the purchaser device, anonymous order sending means for sending anonymous order information to the manager device, a request including a past order ID and password from the purchaser device Receiving, the password verification means for verifying the order ID and password with reference to the storage device, and the request acceptance means for receiving the request when the verification result of the order ID and password is valid. This is an ordering program.

  The second invention is capable of communicating with both the administrator device that can settle the purchaser's anonymous order by the group signature method having a tracking function, and the store device that receives the anonymous order of the sale object by the group signature method. An anonymous ordering program used for a purchaser device, wherein the storage device stores the computer of the purchaser device in association with past anonymous order information and a password in a storage device of the computer of the purchaser device, When an order ID is received from the store apparatus by the purchaser's operation, anonymous order generating means for generating anonymous order information including the order ID and group signature is transmitted to the store apparatus. Anonymous order transmission means, the password received from the store apparatus in response to the transmission is associated with the anonymous order information this time and the above-mentioned A password writing means for writing to the device, a request generating means for generating a request including the order ID and password in the storage device by the operation of the purchaser, a request transmitting means for transmitting the obtained request to the store apparatus, It is a program for anonymous order to function as.

  The third invention can communicate with both an administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a purchaser device that makes an anonymous order for sale by the group signature method. An anonymous ordering program used for a retail store apparatus, in which a computer of the retail store apparatus corresponds to a purchaser identity certification secret information corresponding to the order ID in the past and cannot be guessed. After the purchaser identity verification information generated based on the purchaser identity verification secret information, and the group signature based on the order ID and purchaser identity verification information is generated by the purchaser device, When “anonymous order information including the order ID, the purchaser identity verification information and the group signature” is received from the purchaser apparatus, the anonymous order information is stored in the store apparatus apparatus. Storage means for storing in the storage device of the computer (however, the confidential information for purchaser identity proof that cannot be estimated cannot be estimated from the administrator device and the store device). And based on the sales target specifying information received from the purchaser's purchaser's device). An order ID issuance means for issuing an order ID and transmitting the order ID to the purchaser device; when receiving anonymous order information including the order ID, purchaser identity verification information and group signature from the purchaser device, A signature verification means for verifying a group signature, an anonymous order information writing means for writing the current anonymous order information to the storage device when the verification result of the group signature is valid, an anonymous order information Anonymous order transmitting means for transmitting to the manager device, “past order ID” from the purchaser device and “zero knowledge proof information that the secret information for purchaser identity proof corresponding to this order ID is known” When receiving a request including the search ID, the search means for searching for purchaser identity verification information related to the order ID from the storage device, the zero knowledge proof information based on the searched purchaser identity verification information An anonymous ordering program for functioning as zero knowledge verification means for verifying, and request acceptance means for accepting the request when the verification result of the zero knowledge proof information is valid.

  4th invention can communicate with both apparatus of the manager apparatus which can settle a buyer's anonymous order by the group signature system which has a tracking function, and the store apparatus which receives the anonymous order of sale object by the group signature system An anonymous ordering program used for a secure purchaser device, wherein the computer of the purchaser device is generated based on past “order ID, order ID and confidential information for purchase identity verification that cannot be guessed” Storage means for storing the purchaser identity verification information and anonymous order information including the group signature "and" the purchaser identity verification secret information "in association with each other in the storage device of the computer of the purchaser device ( However, the confidential information for purchaser identity proof that cannot be estimated cannot be inferred from the administrator device and the store device by itself. In addition, even if it is based on the purchaser identity verification information, it is information that cannot be inferred from the manager device and the store device), and when the order ID is received from the store device by the purchaser operation , Anonymous order generating means for generating anonymous order information including this order ID, purchaser identity verification information and group signature, anonymous order transmitting means for transmitting the obtained anonymous order information to the store apparatus, the purchaser The search means for retrieving the purchaser identity certification confidential information related to the past order ID from the storage device by the operation of, and knowing the purchaser identity certification secret information corresponding to the order ID Zero knowledge proof generating means for generating zero knowledge proof information, request generating means for generating a request including the order ID and the zero knowledge proof information by operation of the purchaser, Which is a request transmitting unit, anonymous order for a program to function as to be transmitted to the store apparatus.

  The fifth invention can communicate with both an administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function, and a purchaser device that makes an anonymous order of a sale object by the group signature method. An anonymous ordering program used for a retail store apparatus, in which a computer of the retail store apparatus corresponds to a purchaser identity certification secret information corresponding to the order ID in the past and cannot be guessed. After the purchaser identity verification information generated based on the purchaser identity verification secret information, and the group signature based on the order ID and purchaser identity verification information is generated by the purchaser device, When “anonymous order information including the order ID, the purchaser identity verification information and the group signature” is received from the purchaser apparatus, the anonymous order information is stored in the store apparatus apparatus. Storage means for storing in the storage device of the computer (however, the confidential information for purchaser identity proof that cannot be estimated cannot be estimated from the administrator device and the store device). And based on the sales target specifying information received from the purchaser's purchaser's device). An order ID issuance means for issuing an order ID and transmitting the order ID to the purchaser device; when receiving anonymous order information including the order ID, purchaser identity verification information and group signature from the purchaser device, A signature verification means for verifying a group signature, an anonymous order information writing means for writing the current anonymous order information to the storage device when the verification result of the group signature is valid, an anonymous order information Anonymous order transmitting means for transmitting to the manager device, the "one or more past order IDs" from the buyer device and the "buyer identity certification secret information corresponding to the one or more order IDs are common" When receiving a request including “zero knowledge proof information of being present and knowing it”, one or more purchaser identity verification information related to the one or more order IDs is retrieved from the storage device. Search means, zero knowledge verification means for verifying the zero knowledge proof information based on the searched one or more pieces of purchaser identity verification information, and when the verification result of the zero knowledge proof information is valid, the request Is an anonymous ordering program for functioning as a request accepting means for accepting.

  6th invention is communicable with both the administrator apparatus which can settle a purchaser's anonymous order by the group signature system which has a tracking function, and the store apparatus which receives the anonymous order of a sales object by the said group signature system An anonymous ordering program used for a secure purchaser device, wherein the computer of the purchaser device is generated based on past “order ID, order ID and confidential information for purchase identity verification that cannot be guessed” Storage means for storing the purchaser identity verification information and anonymous order information including the group signature "and" the purchaser identity verification secret information "in association with each other in the storage device of the computer of the purchaser device ( However, the confidential information for purchaser identity proof that cannot be estimated cannot be inferred from the administrator device and the store device by itself. In addition, even if it is based on the purchaser identity verification information, it is information that cannot be inferred from the manager device and the store device), and when the order ID is received from the store device by the purchaser operation , Anonymous order generating means for generating anonymous order information including this order ID, purchaser identity verification information and group signature, anonymous order transmitting means for transmitting the obtained anonymous order information to the store apparatus, the purchaser To retrieve common purchaser identity proof secret information related to one or more order IDs in the past from the storage device, based on the retrieved purchaser identity proof secret information , Zero knowledge proof generation means for generating zero knowledge proof information that the secret information for purchaser identity proof is common and knows the same, and the one or more by the operation of the purchaser Order ID and request generation means for generating a request that includes the zero-knowledge proof information, a request transmitting unit, anonymous order for a program to function as to transmit the obtained request to the store apparatus.

  The seventh invention is capable of communicating with both an administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function, and a store device that receives an anonymous order to be sold by the group signature method. A program for use in a purchaser identity proof device that holds confidential information for purchaser identity proof written from a particular purchaser device, wherein the computer of the purchaser identity proof device is configured to perform the initial setting at the time of initial setting. Secret information writing means for writing the purchaser identity certification secret information input from the purchaser device to the storage device of the computer. When the purchaser device receives the order ID from the store device, the order ID, the order Anonymized order information including group identity and purchaser identity verification information generated based on purchaser identity certification confidential information that corresponds to ID and cannot be guessed Generated by the purchaser device based on the “secret calculation value calculated and held from the purchaser identity certification information at the time of initial setting” (however, the nonidentifiable purchaser identity certification secret information is The secret information for the person identity proof itself cannot be inferred from the administrator device and the store device, and cannot be inferred from the administrator device and the store device even based on the purchaser identity verification information. The purchaser device is used independently from the purchaser device after the generated anonymous order information is transmitted to the store device, and the purchaser identity certificate in the storage device is used. Zero knowledge proof generation for generating zero knowledge proof information that the buyer identity proof secret information related to one or more order IDs in the past is common and know based on the secret information Means, 1 Request generation means for generating a request including the above order ID and the zero knowledge proof information, a request for transmitting the obtained request to “a purchaser identity verification apparatus capable of acquiring anonymous order information from the store apparatus” This is a program for functioning as transmission means.

  An eighth aspect of the present invention relates to an administrator device that can settle a purchaser's anonymous order by a group signature method having a tracking function, a store device that receives an anonymous order to be sold by the group signature method, and the sales that have received the anonymous order It is possible to communicate with the purchaser identity proof device for taking the object, and upon receipt of the sales object, the purchaser identity proof device is based on the pre-stored purchaser identity proof secret information, Generates zero knowledge proof information that the secret information for purchaser identity proof related to one or more order IDs in the past is common and knows it, and the one or more order IDs and zero When the request including the knowledge certification information is to be transmitted to the “buyer identity verification apparatus capable of acquiring anonymous order information from the store apparatus”, the buyer identity certification secret information is set at the initial setting. In the purchaser identity proof device, the purchaser device computer generates the purchaser identity proof secret information at the time of the initial setting, and the purchase Means for calculating a secret calculation value from the secret information for proof of identity of the person, while writing the generated secret information for proof of purchaser identity to the device for proof of identity of the purchaser, while calculating the calculated secret calculation value When the order ID is received from the store apparatus by means of the means for writing in the storage device of the computer and the purchaser, the anonymous order information including the order ID, purchaser identity verification information and group signature is stored in the storage device. A program for functioning as an anonymous order generating means for generating based on the secret calculation value of the device, and an anonymous order transmitting means for transmitting the obtained anonymous order information to the store apparatus. It is a non.

  The ninth invention can communicate with both an administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a purchaser device that makes an anonymous order of a sale object by the group signature method. In the past, the retailer apparatus is based on the purchaser identity certification confidential information corresponding to the order ID, the purchaser identity secret information that corresponds to the order ID and cannot be guessed. After the purchaser identity verification information to be generated and the group signature based on the order ID and the purchaser identity verification information are generated by the purchaser device (however, for the inferable purchaser identity verification) The secret information cannot be inferred from the administrator device and the store device itself, and the administrator device and the previous information are also based on the purchaser identity verification information. When the “anonymous order information including the order ID, the purchaser identity verification information and the group signature” is received from the purchaser device, the anonymous order information is stored. The order ID is issued based on the sales target specifying information received from the purchaser device of the purchaser, the order ID is transmitted to the purchaser device, and the order ID and the purchaser identity verification information are transmitted from the purchaser device. And when the anonymous order information including the group signature is received, the group signature is verified, and when the verification result is valid, the anonymous order information of this time is stored, while the anonymous order information is transmitted to the manager device. If there is a program for use in a purchaser identity verification device capable of acquiring anonymous order information from the dealer device, the computer of the purchaser identity verification device is One or more corresponding to “one or more past order IDs” input after the anonymous order, with respect to the purchaser identity certification device in which the buyer certification confidential information is written from the purchaser device at a fixed time Means for reading the anonymous order information from the dealer apparatus, means for writing one or more anonymous order information read from the dealer apparatus in the storage device of the computer, Means for receiving a request including “one or more order IDs” and “zero knowledge proof information indicating that the buyer identity certification secret information corresponding to the one or more order IDs is common and known” Upon receiving this request, zero knowledge verification means for verifying the zero knowledge proof information based on one or more purchaser identity verification information included in one or more anonymous order information in the storage device , A program for functioning as a request receiving means for receiving the request when the verification result of the zero knowledge proof information is valid.

  Each of the above inventions has been described by taking the case where it is applied to a “program” as an example. However, the present invention is not limited to this and is applied to an “apparatus”, “system”, “method”, or “storage medium storing a program” May be.

(Function)
In the first and second aspects of the invention, the purchaser device and the store device store “anonymous order information including an order ID” and “password” in association with each other, and the purchaser removes from the purchaser device if necessary. Since the request including the order ID and password is transmitted to the store apparatus, and the store apparatus verifies the order ID and password included in this request, it is possible to eliminate the incompatibility with the past use as necessary. Inconveniences based on non-binding properties can be eliminated.

  In the third and fourth inventions, the purchaser device stores “anonymous order information including order ID and purchaser identity verification information” and “buyer identity verification secret information”, and the store device “Anonymous order information including order ID and purchaser identity verification information” is stored, and if necessary, the purchaser knows the order ID and the purchaser identity secret information from the purchaser device. By sending a request including zero knowledge proof information to the dealer apparatus, and the dealer apparatus verifies the zero knowledge proof information based on the purchaser identity verification information retrieved from the order ID included in the request, Since it is possible to eliminate the non-binding property with respect to the past use if necessary, the inconvenience based on the non-binding property can be solved.

  In the fifth and sixth inventions, the purchaser device stores “anonymous order information including order ID and purchaser identity verification information” and “buyer identity verification secret information”, and the store device is “Anonymous order information including order ID and purchaser identity verification information” is stored, and if necessary, the purchaser shares one or more order IDs and purchaser identity secret information from the purchaser device in common. A request including zero knowledge proof information of being and knowing it is transmitted to the dealer apparatus, and the dealer apparatus retrieves from one or more order IDs included in the request, and one or more buyers are identical. With the configuration in which the zero knowledge proof information is verified based on the verification information, non-association with respect to past use can be eliminated as necessary, so that inconvenience based on non-association can be eliminated.

  In the seventh to ninth inventions, the purchaser device stores “anonymous order information including order ID and purchaser identity verification information” and “secret calculation value calculated from purchaser identity verification secret information”. The purchaser identity proof device stores “buyer identity proof confidential information”, and the store device stores “anonymous order information including order ID and purchaser identity verification information”. In addition, if necessary, the purchaser includes zero knowledge proof information indicating that one or more order IDs and the purchaser identity proof secret information are common and known from the purchaser identity proof device. A request is transmitted to the purchaser identity verification device, and the purchaser identity verification device requests one or more anonymous order information corresponding to the one or more order IDs included in the request from the dealer device; 1 included in one or more obtained anonymous order information The configuration for verifying the zero-knowledge proof information based on the purchaser identity verification information described above can eliminate the incompatibility with respect to the past use as necessary, thus eliminating the inconvenience based on the incompatibility. it can. In addition, by separating the device for anonymous ordering and the device for receiving the product, it is possible to expand the application destination of anonymous orders such as receiving goods ordered anonymously at home at convenience stores, etc. It is possible to improve the security for receiving goods by anonymous orders.

  As described above, according to the present invention, it is possible to eliminate the incompatibility with respect to past use if necessary, and it is possible to eliminate the disadvantages based on the incompatibility.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In addition, although each following embodiment gives and demonstrates the case where it applies to the anonymous order system of patent document 3 as a representative example, not only this but the access control system of patent document 1, and patent document 2 description The same applies to the anonymous authentication system. Supplementally, each of the following embodiments is not limited to the systems described in Patent Documents 1 to 3, but can be similarly applied to any system as long as the system uses user authentication based on the group signature method. Yes.

Next, before describing each embodiment, a group signature method (see Non-Patent Document 3) which is a premise of the anonymous ordering system described in Patent Document 3 will be described as a standard example. Here, Table 1 below shows the symbols of this standard group signature scheme and their descriptions.

(Initial setting)
The group manager GM and the tracking organization EM generate a public key / private key pair (PG, SG), (PE, SE), respectively. Further, the group public key (PG, PE), the generation source g, and the like are disclosed.

  The user who becomes the member A generates a public key / private key pair (PA, SA) having the following relationship based on the generation source g, for example.

PA = g ^SA
Next, the user performs a signature process on the public key PA using the private key SA to obtain a digital signature Sig _SA (PA). The user generates the following knowledge signature SPK (Signature based on Proof of Knowledge) indicating that the key pair (PA, SA) has been correctly generated (predicate). However, since it is an initial setting, the message m does not exist here.

SPK {(α) | PA = g ^α } (m) = SPK {(SA) | PA = g ^SA } (m)
This knowledge signature SPK satisfies (e, v) ε {0,1} ^k × [−2 ^{| L | + k} , 2ε ^{(| L |} ) that satisfies e = H (g‖PA‖g ^v PA ^e ‖m). ^{+ K)} ]. The user calculates u = g ^r based on the random number rε {0,1} ^{ε (| L | + k)} , sets e = H (g と し PA‖u （m), and sets v = r−eSA. Calculate on an integer.

Thereafter, the user transmits the public key PA, the digital signature Sig _SA (PA), and the knowledge signature SPK = (e, v) to the group manager GM.

Upon receiving these, the group manager GM verifies the digital signature Sig _SA (PA) with the public key PA and verifies the knowledge signature (e, v) with the public key PA and the generation source g. The verification of the knowledge signature is performed based on e = H (g‖PA‖g ^v PA ^e ‖m).

  When the validity is confirmed by both verifications, the group manager GM performs signature processing on the user's public key PA with his / her private key SG as follows, and returns the obtained member certificate σA to the user. . As a result, the user becomes member A.

σA = Sig _SG (PA)
The group manager GM keeps the member A's member ID, public key and certificate pair (IDA, PA, σA) secretly, and also sets the member A's public key and digital signature pair (PA, Sig). _SA (PA)) is added to the member list.

(Group signature generation)
The member A as the signer generates a knowledge signature SPK _{σ, x} that proves that the message m has a pair (x, σA) of the private key and the member certificate as follows. Note that x = SA.

SPK _{σ, x} = SPK {(α, β) | Verify _PG (f (α), β) = 1} (m)
= SPK {(x, σA) | Verify _PG (f (x), σA) = 1} (m)
= (E1, v1)
However, e1 = H (g‖PA‖g ^{r ^} PG‖m), v1 = r−e1 (x + σA)
Further, the member A as the signer has a value c = E _PE (PA) (traceability) obtained by encrypting the private key PA with the public key PE of the tracking authority EM for the message m as follows: A knowledge signature SPK _c certifying that the secret key x corresponding to the plaintext (PA) of this value c is generated is generated.

SPK _c = SPK {(α, β) | Verify _PE (f (α), β) = 1} (m)
= SPK {(x, c) | Verify _PE (f (x), c) = 1} (m)
= (E2, v2)
However, e2 = H (g‖PA‖g ^{r ^} PE‖m), v2 = r−e2 (x + c)
Thereafter, the member A transmits each data (SPK _{σ, x} , c, SPK _c ) together with the message m as a signature to the verifier. Note that c may be a value c = E _PE (σA) obtained by encrypting the certificate σA.

(Group signature verification)
When the verifier receives each data (SPK _{σ, x} , c, SPK _c ) as a signature together with the message m, the verifier knows the knowledge signature SPK _{σ, x} = (e1, v1) and based on the group public keys PG, PE. Verify SPK _c = (e2, v2).

e1 = H (g‖PA‖g ^{v1 ^ PG} PA ^{e1 ^} PG‖m)
e2 = H (g‖PA‖g ^{v2 ^ PE} PA ^{e2 ^} PE‖m)
The verifier performs processing based on the message m when the signature generated by the member A is valid. On the other hand, when the signature generated by the member A is invalid, the verifier transmits the encrypted value c to the tracking organization EM.

(Tracking function)
The tracking organization EM decrypts the value c (= E _PE (PA)) received from the verifier with its own secret key SE and transmits the obtained public key PA of the member A to the group manager GM. The group manager GM identifies member A from the public key PA.

  The above is the standard group signature scheme, but other group signature schemes have similar properties. Needless to say, each of the following embodiments is applicable to other group signature schemes as well.

  In addition, each device in each of the following embodiments can be implemented for each device with either a hardware configuration or a combination configuration of hardware resources and software. As the software of the combined configuration, a program that is installed in advance on a computer of a corresponding device from a network or a storage medium and that realizes the function of the corresponding device is used.

(First embodiment)
FIG. 1 is a schematic diagram showing a configuration of an anonymous ordering system according to the first embodiment of the present invention. In this anonymous order system, a logistics company device 10, a store device 20, and a purchaser device 30 are connected to each other via networks 41 to 45. In addition, the broken line in a figure has shown the element largely different from the anonymous order system of a nonpatent literature 3.

  Here, the logistics company device 10 includes a logistics company storage device 11, an initial setting unit 12, a store registration unit 13, a purchaser registration unit 14, a settlement processing unit 15, an order verification unit 16, a purchaser identification unit 17, and a market. An information generation unit 18 is provided.

  The logistics company storage device 11 is a memory that can be read / written from the respective units 12 to 18, and includes group management information, secret management information, member list, store registration information, and order history list as shown in FIG. It will be remembered.

  Here, the group management information includes a group public key (PG, PE), a group secret key (SG, SE), a logistics company public key PGM, and a logistics company secret key SGM.

  The secret management information (the purchaser's group signature related information) includes a member ID for each member, a member public key PA, and a member certificate σA.

The member list is a list including member personal information for each member ID, member public key PA, and digital signature Sig _SA (PA). The member's personal information consists of, for example, name, address, age group, gender, payment information (bank account information or credit card number, etc.), network address information such as email address and IP address, telephone number, etc. May be added. The member public key in the member list also corresponds to the purchaser's group signature related information.

The store registration information includes store information and a store public key PSP. The store information includes, for example, a store name, an address, a telephone number, an e-mail address, and settlement information (such as bank account information or a credit card number).
The order history list is a list of anonymous order information m in past orders.

  The initial setting unit 12 is used only once when the system is started up, and generates a group public key / private key pair (PG, SG), (PE, SE) and a logistics company public key / private key pair. It has a function of generating (PGM, SGM) and a function of writing group management information consisting of the generated key pair into the logistics company storage device 11.

  The dealer registration unit 13 writes the dealer registration information including the dealer information received from the dealer device 20 and the dealer public key PSP to the logistics company storage device 11 when registering the dealer, After the writing, it has a function of returning the group public key (PG, PE) in the distribution company storage device 11 to the store apparatus 20.

The purchaser registration unit 14 examines whether or not the purchaser can receive the anonymous order service based on the personal information received from the purchaser device 30 and a function of notifying the purchaser device 30 of the examination result. And a function for performing challenge / response authentication with the purchaser device 30 when passing the examination, a function for verifying the digital signature Sig _SA (PA) and the knowledge signature SPK received from the purchaser device 30, If the validity is confirmed by verification of the above, the member public key PA is signed by the group private key SG to create a member certificate σA (= Sig _SG (PA)), the member A member ID, the public key and certificate pair (IDA, PA, .SIGMA.A) with storing the secret management information comprising a tamper region logistics company storage device 11, the member's public key PA and digital signature pair (PA, Sig _SA (PA ) And the ability to add to the member list, and a function to send a member certificate σA to the purchaser apparatus 30.

  The settlement processing unit 15 has a function of performing proxy settlement based on member personal information described in the member list in the logistics company storage device 11.

  When the order verification unit 16 receives the anonymous order information from the store, the order verification unit 16 checks whether there is the same information in the order history list in the storage device 11 for the logistics company. The function to verify the validity of the group signature included in the anonymous order information in the case of refusing delivery / settlement, the function to reject product delivery / settlement if the signature is invalid, and the validity of the signature It accepts only when it can be confirmed, and has the function of adding anonymous order information to the order history list and storing it in the logistics company storage device 11.

The purchaser specifying unit 17 decrypts the group signature c (= E _PE (PA)) in the anonymous order information stored in the logistics company storage device 11 with the group secret key SE, and uses the obtained member public key PA. It has a tracking function for identifying a signer (= purchaser) with reference to a member list.

  The market information generation unit 18 generates market information by deleting information (eg, address, name, etc.) that can identify an individual from the information of the signer specified by the purchaser specification unit 17. And a function of transmitting information to the store apparatus 20. Market information is information that cannot identify an individual among information related to orders, and is information that is effective for indicating a purchase layer of a product.

  The store apparatus 20 includes a store storage device 21, a registration request unit 22, an order reception unit 23, an order information generation unit 24, an order verification unit 25, a settlement request unit 26, a password generation unit 27, and a purchaser identity verification unit. 28.

  The store storage device 21 is a memory that can be read / written from each of the units 22 to 28. As shown in FIG. 3, the store storage device 21 includes order information generation information (= anonymous order information verification information), product information, and an order acceptance list. It will be remembered.

  The order information generation information includes a group public key (PG, PE), a store public key PSP, and a store secret key SSP.

  The product information is related information for creating order information from the product specifying information (sales target specifying information) received from the purchaser device 30 and includes, for example, a product classification m13, a product ID m21, a product name m22, and a unit price m23. The product specifying information is information for specifying the product provided by the store, and is information that the administrator does not want to know. As shown in FIG. 4, the product ID (eg, product number) m21 and the number m24 can be used.

The order acceptance list is a list of order information m1, m2, received from the purchaser apparatus 30, anonymous order information m, (SPK _{σ, x} , c, SPK _c ) and issued password PW. However, if there is a purchaser identity in a plurality of order IDs in the purchaser identity verification process described later, the order acceptance list further includes the past usage count N (= purchaser identity order ID). May be included. Further, the usage number N may be appropriately used as market information.

  The order information includes basic order information m1 and detailed order information m2.

  The order basic information m1 is the minimum information necessary for the settlement of the commodity price, and includes, for example, an order ID m11, a store name m12, a commodity classification m13, a total amount m14, and a payment method m15.

The detailed order information m2 is information that is preferably hidden from non-stores (= administrators, etc.) from the viewpoint of privacy, and includes at least product specifying information and other optional information. And includes, for example, a product ID m21, a product name m22, a unit price m23, a number m24, and an order date and time m25.
The anonymous order information will be described later.
The password PW is purchaser authentication information generated by the password generation unit 27 and transmitted to the purchaser device 30 every time an order is received. Since this password PW is stored in the store storage device 21 in association with the anonymous order information, when the order ID and the password PW are presented, the incompatibility of the group signature method can be canceled. .

  The registration request unit 22 has a function that the registration request unit 22 transmits the store information and the store public key PSP to the logistics company device 10 by the operation of the store clerk, and the group public key (PG, (PE) to the store storage device 21.

  The order receiving unit 23 has an interface function located between the purchaser device 30 and each unit 24, 25, 27 in the store apparatus 20.

  The order information generation unit 24 generates the order information m including the order basic information m1 and the order detail information m2 based on the order information generation information from the product identification information received from the purchaser device 30, and the obtained order information. m and the store public key PSP are transmitted to the purchaser apparatus 30.

  Upon receiving the anonymous order information from the purchaser device 30, the order verification unit 25 can verify the validity and the function of verifying the validity of the anonymous order information based on the anonymous order verification information in the store storage device 21. The order is received, and the order information and the anonymous order information are stored in the store storage device 21, and the function is provided for issuing a slip in which the order ID is described in place of the shipping destination together with the anonymous order information. .

  The settlement requesting unit 26 has a function of requesting settlement by sending anonymous order information to the logistics company apparatus 10 and a function of saving the market information received from the logistics company apparatus 10 in the logistics company storage device 11 after the settlement is completed. Yes. Note that the payment request function of the payment request unit 26 is not used in this embodiment for requesting payment by anonymous order information of a slip, but can be suitably used when the product is digital content.

  When the verification result of the anonymous order information by the order verification unit 25 is valid, the password generation unit 27 issues a password PW corresponding to the current anonymous order information, and uses the current anonymous order information and the password PW for the store. It has a function of storing in the storage device 21 and a function of transmitting the issued password PW and the verification result to the purchaser device 30 via the order receiving unit 23.

  Upon receiving a request including a past order ID and password from the purchaser device 30, the purchaser identity verification unit 28 verifies the order ID and password with reference to the store storage device 21, and this order. It has a function of accepting a request when the verification result of the ID and password is valid. Here, as the request, for example, an inquiry request, a return request, a point service provision request, or the like can be applied to an order specified by a past order ID.

  The purchaser device 30 includes a purchaser storage device 31, a registration request unit 32, a product selection unit 33, an anonymous order unit 34, an anonymous order information generation unit 35, an order confirmation unit 36, and a purchaser identity verification unit 37. Yes.

  The purchaser storage device 31 is a memory that can be read / written from each of the units 32 to 37, and stores anonymous order information generation information and ordered information as shown in FIG.

  The anonymous order information generation information includes a group public key (PG, PE), a member public key PA, a member secret key SA, a member certificate σA, and a logistics company public key PGM.

The ordered information is information in which order information m1, m2, anonymous order information m, (SPK _{σ, x} , c, SPK _c ) and password PW are associated with each other.

As shown in FIG. 6, the anonymous order information includes order basic information m1, secret order detailed information H (m2), secret message E _PSP (m3) to the store, and secret message E _PGM (m4) to the logistics company. , Anonymous order validity verification information (SPK _{σ, x} , c, SPK _c ).

  The secret order detailed information H (m2) is information that cannot be made without knowing the order detail information m2, and is used by the store that received the order to verify the validity of the anonymous order information. However, the order detail information m2 may not be restored from the secret order detail information H (m2). Therefore, although the hash value H (m2) is used here, the present invention is not limited to this, and the order detail information m2 encrypted with the public key PGM of the store may be used.

The confidential message E _PSP (m3) to the dealer is a message that the purchaser wants to convey only to the dealer. For example, there is a coupon number, a discount keyword, etc., and only the dealer can decrypt it. It is encrypted in various forms.

The confidential message E _PGM (m4) to the logistics company is a message that the purchaser wants to convey only to the logistics company. For example, there is a destination of goods and the like, which is encrypted in a format that only the logistics company can decrypt. .

The anonymous order validity verification information (SPK _{σ, x} , c, SPK _c ) is a group signature for verifying the validity of the anonymous order information, and is validated by the order verification unit 25 based on the anonymous order verification information. Can be verified. This allows the dealer to confirm that the order can be accepted, but cannot obtain any personal information. In addition, the purchaser specifying unit 14 together with the group management information can verify the validity, and if it is valid, the generated purchaser can be specified.

The registration request unit 32 operates as a member of the anonymous order system based on the function of transmitting personal information to the logistics company apparatus 10 by the purchaser and the notification that the examination received from the logistics company apparatus 10 has been passed. A function of generating a member public key / private key pair (PA, SA) and writing it in the purchaser storage device 31, a function of executing challenge / response authentication with the logistics company device 10, and a digital signature Sig _SA (PA) and knowledge signature SPK = (e, v), a function for transmitting these digital signature Sig _SA (PA) and knowledge signature SPK to the logistics company apparatus 10, and a member certificate received from the logistics company apparatus 10 a function of storing σA in the purchaser storage device 31.

  The product selection unit 33 transmits the product specifying information and the order request to the store apparatus 20 by the purchaser's operation.

  The anonymous ordering unit 34 has an interface function located between the store apparatus 20 and each unit 33, 35, 36 in the purchaser apparatus 30.

  The anonymous order information generation unit 35 generates anonymous order information from the order basic information m1 and the order detail information m2 based on the anonymous order generation information in the purchaser storage device 31 by the purchaser's operation. A function of transmitting the obtained anonymous order information to the dealer apparatus 20 via the anonymous order unit 34 and the password PW received from the dealer apparatus 20 in response to this transmission are associated with the anonymous order information this time and purchased by the purchaser. And a function for writing to the storage device 31.

  The order confirmation unit 36 has a function of displaying basic order information m1 and detailed order information m2 received from the store apparatus 20 on a screen and prompting the purchaser to confirm the order contents.

  The purchaser identity proving unit 37 generates a request including the order ID (m11) and the password PW in the purchaser storage device 31 and transmits the generated request to the store apparatus 20 by the purchaser's operation. It has a function to do.

  Next, the operation of the anonymous order system configured as described above will be described.

(Initial setting; Fig. 7)
When the logistics company apparatus 10 starts up the anonymous order service (ST1), the initial setting unit 12 sets up the group for anonymous order by the operation of the logistics company staff, and the group public key / private key pair (PG, SG ), (PE, SE) and a pair (PGM, SGM) of its own logistics company public key / private key, and writes group management information consisting of these key pairs to the logistics company storage device 11 . The logistics company apparatus 10 may perform the above processing only once for the first time when the service is started. Thereby, the logistics company apparatus 10 can provide an anonymous order service.

  In the dealer apparatus 20, when the provision of the anonymous order service is started, the registration request unit 22 transmits the dealer information and the dealer public key PSP to the logistics company apparatus 10 by the operation of the dealer (ST2).

  In the logistics company apparatus 10, the dealer registration unit 13 writes the dealer registration information including the dealer information and the dealer public key PSP in the logistics company storage device 11, and executes dealer registration processing (ST3). The dealer registration unit 13 returns the group public key (PG, PE) in the logistics company storage device 11 to the dealer device 20 (ST4).

  In the store apparatus 20, the registration request unit 22 writes the group public key (PG, PE) in the store storage device 21 as part of the order information generation information and the anonymous order information verification information. Other examples of the order information generation information and the anonymous order information verification information include a dealer's public key / private key pair (PSP, SSP). In the store apparatus 20, it is only necessary to perform the above process only once at the time of registering with the logistics company.

  In the purchaser apparatus 30, the registration request unit 32 transmits personal information to the logistics company apparatus 10 by the purchaser's operation (ST5). In the logistics company apparatus 10, the purchaser registration unit 14 examines whether or not the purchaser can receive the anonymous order service based on the personal information (ST6), and notifies the purchaser apparatus 30 that the examination has passed, for example. Notification is made (ST7).

  In the purchaser apparatus 30, the registration request unit 32 generates a member public key / private key pair (PA, SA) as a member of the anonymous ordering system based on this notification and writes it in the purchaser storage apparatus 31 ( ST8). Thereafter, in the purchaser apparatus 30, the registration request unit 32 executes challenge / response authentication with the logistics company apparatus 10 (ST9). Note that the member public key PA and the logistics company public key PGM are shared between the purchaser apparatus 30 and the logistics company apparatus 10 in the course of challenge-response authentication.

When the mutual authentication is completed by the challenge / response in step ST9, the purchaser apparatus 30 causes the registration request unit 32 to generate a digital signature Sig _SA (PA) and a knowledge signature SPK = (e, v), and these digital signatures. Sig _SA (PA) and knowledge signature SPK are transmitted to the logistics company apparatus 10 (ST10).

In the logistics company apparatus 10, the purchaser registration unit 14 verifies the digital signature Sig _SA (PA) and the knowledge signature SPK (ST11). The signature processing is performed on PA to create a member certificate σA (= Sig _SG (PA)) (ST12).

Thereafter, the purchaser registration unit 14 stores the secret management information including the member ID of the member A, the public key and the certificate (IDA, PA, σA) in the tamper resistant area of the logistics company storage device 11, and A member public key PA and digital signature pair (PA, Sig _SA (PA)) is added to the member list. Thereby, the member is registered (ST13).

In the logistics company apparatus 10, the purchaser registration unit 14 transmits the member certificate σA to the purchaser apparatus 30 (ST14). In the purchaser apparatus 30, the registration request unit 32 stores the member certificate σA in the purchaser storage apparatus 31 (ST15). The purchaser apparatus 30 only needs to perform the above process once at the time of member registration. The purchaser can make an anonymous order any number of times using the member secret key SA and the member certificate σA generated here (anonymous order / delivery / settlement; FIGS. 8 to 10).
In the purchaser device 30, the product selection unit 33 transmits the product specifying information and the order request to the store device 20 by the purchaser's operation (ST 21).

  In the store apparatus 20, the order information generation unit 24 generates order information m including basic order information m1 and detailed order information m2 based on the order information generation information from the product specifying information. The store public key PSP is transmitted to the purchaser apparatus 30 (ST22).

Here, the order information m is formed by connecting the order basic information m1 and the order detail information m2 to each other (m = {m1‖m2}).
The basic order information is the minimum information necessary for the logistics company to deliver and settle the product, and includes an order ID that is information for uniquely identifying the order. The detailed order information is other detailed information, and is desirably kept secret from the logistics company from the viewpoint of protecting the privacy of the purchaser.

Specific examples of order basic information m1 and order detail information m2 will be given below (see FIG. 4).
Order basic information m1 = (order ID‖store name‖product category‖total amount‖payment method)
= (M11‖m12‖m13‖m14‖m15)
Detailed order information m2 = (Product number ‖ Product name ‖ Unit price ‖ Quantity ‖ Order date / time)
= (M21‖m22‖m23‖m24‖m25)
The product classification m13 indicates books, CDs, DVDs, and the like. The product name m22 indicates the title or the like.

  In the purchaser apparatus 30, the order confirmation unit 36 displays the basic order information m1 and the detailed order information m2 on the screen. The purchaser confirms whether or not the order contents are intended by this screen display, and operates the purchaser apparatus 30. The purchaser device 30 causes the anonymous order information generation unit 35 to generate anonymous order information from the basic order information m1 and the detailed order information m2 based on the anonymous order generation information in the purchaser storage device 31 by the purchaser's operation. Then, the anonymous order information is transmitted to the store apparatus 20 via the anonymous order unit 34 (ST24).

The anonymous order information includes at least order basic information m1, a hash value H (m2) of order detail information, a confidential message EPSP (m3) to a dealer, a confidential message EPGM (m4) to a logistics company, and a message m obtained by connecting these. It consists of a group signature (SPK _{σ, x} , c, SPK _c ) for (= m1‖H (m2) ‖EPSP (m3) ‖EPGM (m4)) (see FIG. 6). However, the secret messages EPSP (m3) and EPGM (m4) can be omitted. Here, the case where it is omitted will be described.

The group signature (SPK _{σ, x} , c, SPK _c ) is calculated from the group public key (PG, PE), the purchaser's member private key SA, and the certificate σA. Here, when the group signature generation function is represented by GrSig, the anonymous order information is represented by the following equation.

Anonymous order information = (m‖GrSig (m))
= (M1‖H (m2) ‖GrSig (m1‖H (m2)))
If the confidential message is not omitted, m1‖H (m2) ‖EPSP (m3) ‖EPGM (m4)) may be substituted for m in the above equation. Note that, regardless of whether or not the confidential message is omitted, the group signature generation method itself is as described above, but the configuration of the message m is different from the conventional one.

  Further, the anonymous order information generation unit 35 writes the anonymous order information in the purchaser storage device 31 together with m1, m2, m3, m4, and PSP. If the confidential message is not omitted, m3 and m4 are written in the purchaser storage device 31 together with the above-described anonymous order information, m1, m2, and PSP.

Upon receiving the anonymous order information, the store apparatus 20 verifies the validity of the anonymous order information based on the anonymous order verification information in the store storage device 21 as shown in FIG. ST25) Only when it is confirmed that the hash value H (m2) of the order detail information is correctly calculated and the group signature (SPK _{σ, x} , SPK _c ) is valid, the order is accepted. Otherwise, the order will be rejected.

  When accepting the order, in the store apparatus 20, the password generation unit 27 generates the password PW, and transmits the password PW together with the verification result “valid” to the purchaser apparatus 30 (ST26; legitimate). The purchaser device 30 writes this password PW in the purchaser storage device 31 in association with the current anonymous order information. When rejecting the order, the store apparatus 20 transmits the verification result “unauthorized” to the purchaser apparatus 30 (ST26; unjustified), and ends the process.

  Further, when the order verification unit 25 receives an order, the store apparatus 20 associates the order information, the anonymous order information, and the password PW with each other and stores them in the store storage device 21 (ST27). When the password PW is stored in the store storage device 21 and the purchaser storage device 31, a purchaser identity verification process described later becomes possible.

  Subsequently, the store apparatus 20 issues a slip in which the order ID is described instead of the shipping destination together with the anonymous order information. This voucher is affixed to the packaged product and shipped by the sales clerk (ST28). This slip also acts as a proxy settlement request.

  In the anonymous order as described above, the order detail information m2 is concealed with the hash value H (m2) and the order information is kept secret so that the purchaser can conceal what the purchaser has purchased. I can protect it.

  A major feature of anonymous orders is that the personal information of the buyer, including the pseudonym and ID, is not sent at all from the request for starting the order procedure to the order confirmation, and no access to the logistics company is made. It is one of.

Next, merchandise delivery and settlement will be described.
The logistics company delivers and settles the products ordered by the dealer. The logistics company device 10 stores the anonymous order information received in the past in the logistics company storage device 11 as an order history list in order to prevent fraud by the dealer.

  When the logistics company apparatus 10 receives the anonymous order information from the dealer, the order verification unit 16 checks whether there is the same information in the order history list, and if the same information is found, the product delivery / settlement is performed as an illegal request. I refuse. Otherwise, the validity of the group signature included in the anonymous order information is verified (ST29).

  The order verification unit 16 rejects delivery / settlement of goods even if the signature is invalid (ST30; reject), accepts only when the validity of the signature is confirmed (ST30; accept), and orders anonymous order information to the order history It is added to the list and stored in the logistics company storage device 11. As a result, the logistics company prevents unauthorized requests from dealers.

Subsequently, in the logistics company apparatus 10, the purchaser specifying unit 17 decrypts the group signature c (= E _PE (PA)) in the anonymous order information with the group secret key SE, and the member list is obtained from the obtained member public key PA. The signer is specified with reference to (ST31), and specific contents such as address and name are displayed on the screen or issued as a sticker.

  The logistics company employee fills in the information of the specified signer on the corresponding product slip and delivers the product (ST32). The signer identification process can be executed only by the logistics company apparatus 10 which is the only apparatus having group management information and member personal information. Further, in the logistics company apparatus 10, the settlement processing unit 15 performs proxy settlement from the purchaser's financial institution or the like based on the member personal information described in the member list in the logistics company storage device 11 (ST33). Is paid to a dealer (financial institution, etc.) (ST34). Furthermore, in the logistics company apparatus 10, the market information generation unit 18 deletes information (eg, address, name, etc.) that can identify an individual from the information of the specified signer, and for example, a market that includes prefectures, age groups, and genders. Information is generated and this market information is transmitted to the store apparatus 20 (ST35). The store apparatus 20 stores this market information and can use it for various types of analysis.

(Purchaser identity verification; Fig. 11)
It is assumed that the purchaser wants to make a request regarding the past order to the store apparatus 20 after the above-described step ST27.

  In the purchaser device 30, the purchaser identity proving unit 37 reads out from the purchaser storage device 31 the order ID for specifying the requested order and the password PW associated with the purchaser operation. Thereafter, the purchaser identity certification unit 37 generates a request including the order ID and the password PW by the purchaser's operation, and transmits this request to the store apparatus 20 (ST41).

  In the store apparatus 20, when the purchaser identity verification unit 28 receives a request including a past order ID and password from the purchaser apparatus 30, the order ID is in the order reception list of the store storage device 21. It is verified whether or not (ST42).

  As a result of this verification, when the corresponding order ID exists, the purchaser identity verification unit 28 further verifies whether or not the password PW related to the order ID matches the received password PW. If they match, the verification result “valid” is returned to the purchaser apparatus 30 (ST43; valid), and the request is accepted.

  When the received request is an inquiry request or a return request, for example, a store clerk may operate the store apparatus 20 to answer the request. When the received request is a request for providing point service, the purchaser identity verification unit 28 uses the number of order IDs with purchaser identity as the number of uses N, and accepts orders from the store storage device 21. Write to the list. As a result, the store apparatus 20 can execute a predetermined point service according to the number of uses N. As the point service, for example, a discount service for the settlement amount by the settlement request unit 26 can be considered. The processing according to the received request is the same in the following embodiments.

  On the other hand, as a result of the verification in step ST42, if the corresponding order ID does not exist in the store storage device 21, or if both passwords PW do not match even if the order ID exists, both of the verification results are “invalid. "Is returned to the purchaser apparatus 30 (ST43; illegal).

  In the purchaser identity verification process described above, an encryption communication protocol such as SSL (secure sockets layer) is used between the purchaser apparatus 30 and the store apparatus 20 from the viewpoint of preventing eavesdropping of the password PW or the like. preferable.

  As described above, according to the present embodiment, the purchaser device 30 and the store device 20 store “anonymous order information including an order ID” and “password” in association with each other, and the purchaser purchases if necessary. A request including the order ID and password is transmitted from the seller device 30 to the store device 20, and the store device 20 verifies the order ID and password included in this request, thereby requiring non-binding to the past use. Since it can be eliminated, inconveniences based on non-binding properties can be eliminated.

  In addition, authentication can be performed without the incompatibility only when the user intends. As a result, the user can show the identity of the user only when necessary, can inquire about the purchased service or product, make a return request, or receive a point service. Further, the service provider can improve the service quality and enhance the market information by knowing the identity of the user. In addition, since the advantage of anonymous authentication is not lost, it is possible to solve both inconveniences based on incompatibility and improve service quality while protecting personal information and privacy.

  In addition, since this method uses a password PW and does not require complicated processing, there is an advantage that processing is light. However, another mechanism is necessary to prevent fraud by leaking the password PW to a third party.

<Modification of First Embodiment>
<1-1> This embodiment can also be applied to an access control system described in Non-Patent Document 1 and an anonymous authentication system described in Non-Patent Document 2. When applied to the systems described in Non-Patent Documents 1 and 2, an ID that can uniquely identify a service request may be used instead of the order ID described above. For example, in the anonymous authentication system described in Non-Patent Document 2, when the length of the challenge is sufficient, the challenge may be used.

  <1-2> As a method for the purchaser identity proving unit 37 to select an order ID to be requested, the purchaser himself may explicitly select it, or the purchaser apparatus 30 may automatically select it. Also good.

  For example, when it is desired to make an inquiry request or a return request for a certain order, the purchaser himself has to make a selection. On the other hand, the purchaser device 30 can automatically select the latest order ID. Further, when the purchaser himself selects explicitly, the purchaser identity proving unit 37 displays a list by the function of displaying a list of the ordered information in the purchaser storage device 31 and the operation of the purchaser. From the viewpoint of operability, it is preferable to provide a function for designating an order ID from the already-ordered information.

  <1-3> If the order ID is difficult for a third party to guess, the password PW may be omitted.

  <1-4> The password PW may be generated not by the store apparatus 20 but by the purchaser apparatus 30. In that case, the password generation unit 27 may be omitted from the store apparatus 20 and provided in the purchaser apparatus 30. However, the purchaser may specify the password PW. In that case, both the store apparatus 20 and the purchaser apparatus 30 do not require the password generation unit 27, and the purchaser apparatus 30 requires a password input unit.

  <1-5> The timing at which the password PW is transmitted from the purchaser apparatus 30 to the store apparatus 20 is before the order request transmission, simultaneously with the order request transmission, simultaneously with the anonymous order information transmission, and after the anonymous order information transmission. Any timing may be used.

  <1-6> When a past order ID and password are shown in advance and it is confirmed that the purchaser is the same, the password generation unit does not need to issue a different password for each order ID as the password PW. , May be the same as in the past.

  <1-7> When it is necessary to strictly perform the purchaser identity verification process, in addition to the order ID and password PW, the order ID and password PW A group signature for the password PW may be used together.

  <1-8> When it is desired to cancel the incompatibility with the past order ID at the same time as the order, the order ID and password PW of the order for which the incompatibility should be canceled may be included in the anonymous order information. In this case, a secret message E_PSP (m3) to the store with the order ID and password of the past order as the message m3 may be created. However, as an encryption method for generating a secret message, a different ciphertext is calculated every time even if it is the same plaintext so that the non-association is maintained even if a third party looks at the ciphertext. It is necessary to use such an encryption method. As such an encryption method, for example, an encryption method using a random number such as the El Gamal encryption method or the RSA-OAEP method can be considered.

(Second Embodiment)
FIG. 12 is a schematic diagram showing the configuration of the anonymous ordering system according to the second embodiment of the present invention, where parts different from those in FIG. Mainly stated. In the following embodiments, the same description is omitted.

  That is, this embodiment is a modification of the first embodiment, and is a method of canceling the incompatibility of past orders using zero knowledge proof instead of a password.

  For example, when the purchaser device 30 generates anonymous order information, it generates a secret value unique to the order (hereinafter referred to as “buyer identity certification secret information x ′”), and this purchaser identity. A value (hereinafter referred to as purchaser identity verification information) m5 calculated based on the certification secret information x ′ is embedded in the anonymous order information.

  When the purchaser wants to release the incompatibility with the order ID to be requested from the store, the store device 20 sends a request including the order ID and zero knowledge proof information indicating that x ′ is known. Send to. Further, when it is not desired to cancel the incompatibility with the past order, the past order ID and zero knowledge proof information are not transmitted to the store apparatus 20. The retail store apparatus 20 accepts the request only when the zero knowledge certification information is verified and the verification result is valid.

  Specifically, the store apparatus 20 includes a purchaser identity verification unit 29 based on zero knowledge proof instead of the password generation unit 27 and the purchaser identity verification unit 28 based on the password. Accordingly, the store storage device 21 does not store the password PW as shown in FIG. 13, and the anonymous order information turns the purchaser identity verification information m5 into the message m as shown in FIG. The contents are included.

  Here, the purchaser identity verification unit 29 receives the purchaser identity from the purchaser device 30 based on the “past order ID” and the “buyer identity certification secret information x ′ corresponding to this order ID”. Upon receipt of a request including “zero knowledge proof information (w, s) indicating that the secret information x ′ for proof is known”, the store storage device 21 stores the purchaser identity verification information m5 related to the order ID. And the verification result of the zero knowledge proof information (w, s) and the verification result of the zero knowledge proof information (w, s) are valid based on the searched buyer identity verification information m5. At the time, it has a function to accept requests.

  On the other hand, the purchaser apparatus 30 includes a purchaser identity proof secret information generation unit 38 and a purchaser identity proof unit 39 based on zero knowledge proof instead of the purchaser identity proof unit 37 based on the password. ing. Accordingly, as shown in FIG. 15, the purchaser storage device 31 stores the purchaser identity certification secret information x ′ in association with the anonymous order information, instead of the password PW.

  The purchaser identity proof secret information generation unit 38 generates the purchaser identity proof secret information x ′ corresponding to the order ID, and the purchaser identity proof secret information x ′. A function for generating the purchaser identity verification information m5 and the purchaser identity verification information m5 are sent to the anonymous order information generation unit 35 by calculation using the purchaser identity verification secret information x ′ as a power index. And the function of writing the anonymous order information generated by the anonymous order information generating unit 35 and the purchaser identity proof secret information x ′ into the purchaser storage device 31 in association with each other. The purchaser identity proof secret information x ′ may be inferred by a third party, and may be generated as a random number, for example. Supplementally, the confidential information x ′ for purchaser identity proof that cannot be guessed cannot be guessed from the third party (the manager device 10 and the store device 20). Even if it is based on the purchaser identity verification information m5, it is information that cannot be estimated from a third party (the manager device 10 and the store device 20). As described above, the secret information x ′ for purchaser identity proof cannot be inferred from a third party (even if it is based on the purchaser identity verification information m5). .

Accordingly, the anonymous order information generation unit 35 is configured to generate anonymous order information based on the message m including the purchaser identity verification information m5.

  The purchaser identity proof unit 39 searches the purchaser storage device 31 for the purchaser identity proof secret information x ′ related to the past order ID by the purchaser's operation, and the same purchaser as the retrieved buyer. Order based on the function to generate zero knowledge proof information (w, s) that knows the buyer's identity proof secret information x 'based on the proof secret information x' and the purchaser's operation It has a function of generating a request including ID and zero knowledge proof information (w, s) and a function of transmitting the generated request to the store apparatus 20.

  Next, the operation of the anonymous order system configured as described above will be described.

(Anonymous order / delivery / settlement; FIGS. 16 and 17)
Here, as the confidential information for purchaser identity proof and zero knowledge proof of knowing it, “definition 4” of Non-Patent Document 2 “Definition 4 on message m, y = g ^ on base g An example of using “signature of knowledge of the discrete logarithm of y = g ^ x ′ wrt base g, on a message m” ”will be described.

  Here, G is a cyclic group in which the order #G is not known, and the generation source of the cyclic group G is g. The bit length L of the order #G is, for example, an integer L such that 2 ^ (L-1) ≦ # G <2 ^ L. ^ Represents a power. Further, it is assumed that the one-way hash function H: {0,1} ^ * → {0,1} ^ k. k represents the bit length after the calculation of the hash function. ε is a security parameter, for example, ε> 1. In the following description, y, g, h ∈ G and x ′ ∈ Z are assumed. Z is the set of whole integers.

  Now, it is assumed that steps ST21 to ST22 are executed as described above.

  Next, in the purchaser apparatus 30, when the anonymous order information is generated, the purchaser identity certification secret information generation unit 38 generates the purchaser identity certification secret information x ′.

  Subsequently, the purchaser identity proof secret information generation unit 38 determines that h = g ^ r, y = h ^ x ', based on the purchaser identity proof secret information x', the random number r, and the base g. The purchaser identity verification information m5 = (h, y) is calculated, and the purchaser identity verification information m5 = (h, y) is sent to the anonymous order information generation unit 35.

  The anonymous order information generation unit 35 generates anonymous order information including the purchaser identity verification information m5 in the message m (ST23), and sends the anonymous order information to the purchaser identity certification secret information generation unit 38. On the other hand, this anonymous order information is transmitted to the store apparatus 20 via the anonymous order unit 34 (ST24). Further, the purchaser identity proof secret information generation unit 38 writes the anonymous order information and the purchaser identity proof secret information in the purchaser storage device 31 in association with each other.

When the store apparatus 20 receives the anonymous order information, as shown in FIG. 17, the order verification unit 25 verifies the validity of the anonymous order information based on the anonymous order verification information in the store storage device 21 ( ST25) Only when it is confirmed that the hash value H (m2) of the order detail information is correctly calculated and the group signature (SPK _{σ, x} , SPK _c ) is valid, the order is accepted. Otherwise, the order will be rejected.

  When accepting the order, the store apparatus 20 transmits the verification result “valid” to the purchaser apparatus 30 (ST26; legitimate). On the other hand, when rejecting the order, the store apparatus 20 transmits the verification result “unauthorized” to the purchaser apparatus 30 (ST26; unjustified), and ends the process.

Further, when the order verification unit 25 receives an order, the store apparatus 20 associates the order information and the anonymous order information with each other and stores them in the store storage device 21 (ST27). When the order information and the anonymous order information are stored in the store storage device 21, the purchaser identity verification process described later becomes possible.
The delivery / settlement processing in the following steps ST28 to ST34 is executed in the same manner as described above.

(Purchaser identity verification processing; FIG. 18)
It is assumed that the purchaser wants to make a request regarding the past order to the store apparatus 20 after the above-described step ST27.

  In the purchaser device 30, the purchaser identity certification unit 39 causes the purchaser identity certification unit 39 to operate with the purchaser identity certification secret information x ′ associated with the anonymous order information including the order ID for specifying the requested order. Is read from the purchaser storage device 31.

  Thereafter, the purchaser identity proving section 39 transmits a verification start request including the order ID to the store apparatus 20 (ST51). Upon receiving this verification start request, the store apparatus 20 generates a message m6 including the random number a and returns it to the purchaser apparatus 30.

  In the purchaser apparatus 30, upon receiving the message m6, the purchaser identity proving unit 39 selects a random number t ∈ ± {0,1} ^ {ε (L + k)}, and the random number t, Zero knowledge proof information w, s ∈ Z based on the purchaser identity proof secret information x ′, purchaser identity verification information m5 = (y, h) and message m6 is calculated (ST53).

w = H (y‖h‖h ^ t‖m6)
s = t − wx '
However, ‖ represents connection. (w, s) satisfies (w, s) ∈ ± {0,1} ^ k × ± {0,1} ^ {ε (L + k) +1}. w is a hash value. s is a power index in the verification formula described later. The random number a is information for preventing unauthorized reuse of the zero knowledge proof information, but is not essential. For example, the random number a may be omitted from the message m6, and the current time may be included in the message m6 instead of the random number a.

  Thereafter, the purchaser identity proof unit 39 transmits a request including the order ID and zero knowledge proof information (w, s) to the store apparatus 20 by the purchaser's operation (ST54).

  In the store apparatus 20, when the purchaser identity verification unit 29 receives a request including a past order ID and zero knowledge proof information (w, s) from the purchaser apparatus 30, the order ID is stored in the store memory. It is verified whether it is in the order reception list of the device 21 (ST55).

  As a result of this verification, when the corresponding order ID exists, the purchaser identity verification unit 29, the purchaser identity verification information m5 = (h, y) in the anonymous order information related to the order ID. Further, based on the received message m6 including the zero knowledge proof information (w, s) and the random number a, it is further verified whether or not the following verification expression is satisfied.

w = H (y‖h‖h ^ s ・ y ^ w‖m6)
As a result of the verification, if the verification formula is established, the verification result “valid” is returned to the purchaser apparatus 30 (ST56; valid), and the request is accepted. Note that the processing according to the received request is executed in the same manner as described above.

  As described above, according to the present embodiment, the purchaser device 30 stores “anonymous order information including the order ID and the purchaser identity verification information m5” and the “buyer identity verification secret information x ′”. The store apparatus 20 stores “anonymous order information including the order ID and purchaser identity verification information m5”, and the purchaser receives the order ID and zero knowledge certification information (w, s) is transmitted to the store apparatus 20, and the zero knowledge proof information (w, s) is transmitted based on the purchaser identity verification information m5 retrieved from the order ID included in the request by the store apparatus 20. With the configuration for verifying, it is possible to eliminate non-association with respect to past use as necessary, so that inconveniences based on non-association can be eliminated.

  In addition, according to the present embodiment, although the amount of calculation is larger than that in the first embodiment, since the store device 20 does not need to manage the password PW, the management cost of the store can be reduced. it can.

<Modification of Second Embodiment>
<2-1>, <2-2> The first and second modified examples <1-1> and <1-2> in the first embodiment can be similarly implemented as modified examples of the present embodiment.

  <2-3> The present embodiment is not limited to the zero knowledge proof of definition 4 described in Non-Patent Document 2, but can be modified to use other types of zero knowledge proof.

  <2-4> This embodiment is modified so that a traceable signature is used instead of a group signature, and craming in a traceable signature is used instead of a zero knowledge proof. (See Non-Patent Document 4).

  <2-5> This embodiment can use a common value for all orders instead of using a different value for each order as the confidential information for purchaser identity certification. In that case, it is not necessary to manage the value for each order, and the value may be managed in the same manner as the member secret key.

(Third embodiment)
Next, an anonymous order system according to the third embodiment of the present invention will be described with reference to FIGS.

  That is, this embodiment is a modification of the second embodiment. When the purchaser wants to indicate to the store that one or more orders are from the purchaser, the purchaser has one or more. The same purchaser identity proof secret information x ′ is embedded in the anonymous order information and the value is shown using zero knowledge proof. Each anonymous order information includes purchaser identity verification information m5 = (h, y) = (g ^ r, h ^ x '), in which r is individually calculated as a different random number for each order.

  When the target order ID is one, it is the same as in the second embodiment except that the purchaser identity certification secret information x ′ is common to all orders. Since it can be easily expanded from the case, the case where there are two order IDs will be described.

  In the purchaser identity proof unit 29, the expression for generating the hash value w of the zero knowledge proof information (w, s) is “w = H (y‖y'‖h‖h'‖h ^ t‖h ' ^ t‖m6) ”.

  In other words, the purchaser identity verification unit 29 obtains the purchaser identity certificate from the purchaser device 30 based on the “past order ID” and the “buyer identity certification secret information x ′ corresponding to this order ID”. Upon receiving a request including “zero knowledge proof information (w, s) that the secret information x ′ is common and knows its value”, the purchaser identity verification information m5 related to the order ID From the store storage device 21, a function to verify the zero knowledge proof information (w, s) based on the searched buyer identity verification information m5, and zero knowledge proof information (w, When the verification result of s) is valid, it has a function of accepting a request.

  Similarly, the expression for verifying the zero knowledge proof information (w, s) in the purchaser identity verification unit 29 is “w = H (y‖y'‖h‖h'‖h ^ s · y ^ w‖). h '^ s ・ y' ^ w‖m6) ”.

  That is, the purchaser identity proof secret information generation unit 38 uses the purchaser's operation in the above-described function to generate the purchaser identity proof secret information x ′ generated corresponding to the past order ID. It has a function used for the common purchaser identity certification secret information x ′ corresponding to the order ID. Supplementally, the purchaser identity certification secret information x 'is common secret information regardless of the order ID.

  The purchaser identity proof unit 39 has a function of searching for common purchaser identity proof secret information x ′ related to two past order IDs from the purchaser storage device 31 by a purchaser operation, and a search. Based on the purchased buyer identity proof secret information x ', the zero identity proof information (w, s) indicating that the buyer identity proof secret information x' is common and knows its value. A function for generating, a function for generating a request including an order ID and zero knowledge proof information (w, s) by a purchaser's operation, and a function for transmitting the generated request to the store apparatus 20.

  Next, the operation of the anonymous order system configured as described above will be described.

(Anonymous order / delivery / settlement; FIGS. 16 and 17)
Here, as zero knowledge proof that the same purchaser identity proof secret information is embedded in two purchaser identity proof secret information, the definition 5 (Definition 5) described in Non-Patent Document 2 describes “ The signature of knowledge of the discrete logarithm of both y_1 = g ^ x 'wrt base on message m, y_1 = g ^ x' for base g and y_2 = g ^ x 'for base h g and y_2 = h ^ x 'wrt base h, on a message m) "is described. The definition of the symbols is the same as in the second embodiment unless otherwise specified.

  Now, it is assumed that steps ST21 to ST22 are executed as described above.

  Next, in the purchaser apparatus 30, when the anonymous order information is generated, the purchaser identity certification secret information generation unit 38 generates the purchaser identity certification secret information x ′. However, the purchaser identity proof secret information x 'is set to the same value as the purchaser identity proof secret information x' of the past order ID to be released from the non-binding property. The buyer identity proof secret information x ′ generated first may be generated by a third party as long as it is difficult for a third party to guess.

  Subsequently, the purchaser identity proof secret information generation unit 38 determines that h = g ^ r, y = h ^ x ', based on the purchaser identity proof secret information x', the random number r, and the base g. The purchaser identity verification information m5 = (h, y) is calculated, and the purchaser identity verification information m5 = (h, y) is sent to the anonymous order information generation unit 35.

  Thereafter, the anonymous order process of steps ST23 to ST27 is executed as described above. Further, the delivery / settlement process of steps ST28 to ST34 is executed in the same manner as described above.

(Purchaser identity verification processing; FIG. 18)
It is assumed that the purchaser wants to make a request regarding the past order to the store apparatus 20 after the above-described step ST27.

  In the purchaser apparatus 30, the purchaser identity proof unit 39 causes the purchaser identity proof associated with two pieces of anonymous order information including two order IDs to specify two orders to be requested by the operation of the purchaser. The secret information x ′ is read from the purchaser storage device 31. Note that the two anonymous order information items individually include buyer identity verification information m5 = (h, y) or m5 '= (h', y ') (h = g ^ r , Y = h ^ x ', h' = g ^ r ', y' = h '^ x').

  Thereafter, the purchaser identity proving section 39 transmits a verification start request including the order ID to the store apparatus 20 (ST51). Upon receiving this verification start request, the store apparatus 20 generates a message m6 including the random number a and returns it to the purchaser apparatus 30. The random number a is information for preventing unauthorized reuse of the zero knowledge proof information, but is not essential. For example, the random number a may be omitted from the message m6, and the current time may be included in the message m6 instead of the random number a.

  In the purchaser apparatus 30, upon receiving the message m6, the purchaser identity proving unit 39 selects a random number t ∈ ± {0,1} ^ {ε (L + k)}, and the random number t, Common purchaser identity proof secret information x ′, two purchaser identity verification information m5 = (h, y), m5 ′ = (h ′, y ′) and zero knowledge proof information w based on message m6 , s ∈ Z is calculated (ST53). This zero knowledge proof (w, s) indicates that the discrete logarithm x 'of y with respect to the base h is the same as the discrete logarithm x' of y 'with respect to the base h'.

w = H (y‖y'‖h‖h'‖h ^ t‖h '^ t‖m6)
s = t − wx '
After that, the purchaser identity proof unit 39 transmits a request including two order IDs and zero knowledge proof information (w, s) to the store apparatus 20 by the purchaser's operation (ST54).

  In the store apparatus 20, when the purchaser identity verification unit 29 receives a request including two past order IDs and zero knowledge proof information (w, s) from the purchaser apparatus 30, each order ID is sold. It is verified whether it is in the order reception list of the store storage device 21 (ST55).

  As a result of this verification, when each corresponding order ID exists, the purchaser identity verification unit 29 purchaser identity verification information m5 = (h in the two anonymous order information related to each order ID. , y) and m5 ′ = (h ′, y ′), based on the received message m6 containing the zero knowledge proof information (w, s) and the random number a, further verify whether or not the following verification expression holds: .

w = H (y‖y'‖h‖h'‖h ^ s ・ y ^ w‖h '^ s ・ y' ^ w‖m6)
As a result of this verification, if the verification formula holds, the verification result “valid” is returned to the purchaser apparatus 30 (ST56; valid), and the request is accepted. Note that the processing according to the received request is executed in the same manner as described above.

  As described above, according to the present embodiment, the purchaser device 30 stores “anonymous order information including the order ID and the purchaser identity verification information m5” and the “buyer identity verification secret information x ′”. The store apparatus 20 stores “anonymous order information including order ID and purchaser identity verification information m5”, and the purchaser can purchase one or more order IDs and zero knowledge proof from the purchaser apparatus 30 as necessary. The request including the information (w, s) is transmitted to the store apparatus 20, and the two purchaser identity verification information m5, m5 ′ searched by the store apparatus 20 from one or more order IDs included in this request. With the configuration in which the zero knowledge proof information (w, s) is verified based on the above, it is possible to eliminate the non-association with respect to past use as necessary, so that the inconvenience based on the non-association can be solved.

  Moreover, according to this embodiment, in addition to the effect of 1st Embodiment, there exist the following effects.

  It can be shown that purchasers who have generated a plurality of anonymous order information are the same purchasers. Therefore, it is effective when receiving a point service indicating that a plurality of orders are the same. Further, in some cases, such as when there is a suspicion of fraud, the purchaser can be specified by the logistics company apparatus 10, so that the identity of the purchaser can be strictly verified.

  On the other hand, since relatively heavy processing is required, when it is not necessary to strictly perform purchaser identity verification (for example, in the case of an inquiry about an order), the first embodiment or the second embodiment Is more suitable.

<Modification of Third Embodiment>
<3-1>, <3-2> The first and second modified examples <1-1> and <1-2> in the first embodiment can be similarly implemented as modified examples of the present embodiment.

  <3-3> The present embodiment is not limited to the zero knowledge proof of definition 5 described in Non-Patent Document 2, but can be modified to use other types of zero knowledge proof.

  <3-4> This embodiment can also use secret information for purchaser identity certification common to all orders. In that case, it is not necessary to manage the value for each order, and the value may be managed in the same manner as the member secret key.

(Fourth embodiment)
FIG. 19 is a schematic diagram showing a configuration of an anonymous ordering system according to the fourth embodiment of the present invention. FIGS. 20 and 21 are a storage device for purchaser and a private information storage for purchaser identity proof of the system, respectively. It is a schematic diagram which shows the structure of an apparatus.

  This embodiment is a modification of the third embodiment. Specifically, the purchaser identity proving unit 39 and the purchaser identity verification unit 29 are made independent from the purchaser device 30 and the store device 20, respectively. The purchaser identity verification device 50 and the purchaser identity verification device 60 are configured.

  Here, the purchaser device 30 omits the purchaser identity proving unit 39 among the units 31 to 36, 38 and 39 shown in FIG. It is modified to be a purchaser identity proof secret information generation unit 38 ′.

  The purchaser identity proof secret information generation unit 38 ′ has the function of generating the purchaser identity proof secret information x ′ at the time of initial setting and the generated purchaser identity proof secret information x ′. A function for writing to the device 50 for proving the authenticity, a function for calculating the secret calculation value g ^ x 'using the secret information x' for the purchaser's identity verification as a power index, and the buyer calculating the calculated secret calculation value g ^ x ' And a function for writing to the storage device 31.

  Accordingly, unlike the above-described FIG. 15, the purchaser storage device 31 holds the secret calculated value g ^ x ′ as part of the anonymous order information generation information as shown in FIG. The purchaser identity secret information x ′ is omitted from the completed information.

  Further, in addition to the functions described above, the anonymous order information generation unit 35 individually generates the secret order information g ^ x ′ in the purchaser storage device 31, the generated random numbers r and r ′, and the predetermined base g. Buyer identity verification information m5 = (h, y) = (g ^ r, h ^ x ') or m5' = (h ', y') = (g ^ r ', h' ^ x ') (However, y = h ^ x '= (g ^ x') ^ r, y '= h' ^ x '= (g ^ x') ^ r '). The generation of the purchaser identity verification information m5 and m5 'is executed using the secret calculated value g ^ x' without using the purchaser identity verification information x '.

  On the other hand, the purchaser identity proof device 50 is a device that can be carried by the purchaser, such as an IC card. Specifically, the purchaser identity proof secret information storage device 51 and the purchaser identity proof are provided. A portion 39 is provided.

  As shown in FIG. 21, the purchaser identity proof secret information storage device 51 is a memory for storing the purchaser identity proof secret information x ′ written from the purchaser device at the initial setting. It can be read from the certification unit 39. It should be noted that x ′ and g ^ x ′ need only be written once into the respective storage devices 51 and 31 at the time of initial setting, and may be manually written into each or one of the storage devices 51 and 31 at the time of writing. 30 and 50 may be connected, and the value x ′ corresponding to the secret calculation value g ^ x ′ may be automatically written in the purchaser identity certification secret information storage device 51.

  The purchaser identity proof unit 39, based on the purchaser identity proof secret information x 'in the purchaser identity proof secret information storage device 51, purchaser identity related to one or more past order IDs. A function for generating zero-knowledge proof information for sharing and knowing secret information x ′ for sex proof, a function for generating a request including one or more order IDs and zero-knowledge proof information, And a function of transmitting the obtained request to “a purchaser identity verification apparatus 60 capable of acquiring anonymous order information from the store apparatus 20”.

  In addition, the store apparatus 20 is the structure further provided with the anonymous order information transmission part 71 while omitting the purchaser identity verification part 29 among each part 21-26,29 shown in FIG. When the anonymous order information transmission unit 71 receives a request including an order ID from the purchaser identity verification device 60, the anonymous order information transmission unit 71 verifies whether the order ID is in the order reception list of the store storage device 21; As a result of the verification, if there is a corresponding order ID, the anonymous order information corresponding to the order ID is read from the store storage device 21 and transmitted to the purchaser identity verification device 60; As a result of this verification, when there is no corresponding order ID, it has a function of transmitting error information to the purchaser identity verification device 60.

  On the other hand, the purchaser identity verification device 60 is a device arranged in a large number of stores such as a convenience store (hereinafter referred to as a convenience store), specifically, a verification storage device 61, anonymous order information. A receiving unit 62 and a purchaser identity verification unit 29 are provided.

  The verification storage device 61 is a memory that can be written from the anonymous order information receiving unit 62 and can be read / written from the purchaser identity verification unit 29, and stores the anonymous order information received from the store apparatus 20. Is.

  The anonymous order information receiving unit 62 is controlled by the purchaser identity verifying unit 29 and reads out one or more anonymous order information corresponding to the inputted “one or more order IDs” from the store apparatus 20; A function of writing one or more pieces of anonymous order information read (received) from the store apparatus 20 into the verification storage device 61.

  The purchaser identity verification unit 29 controls the anonymous order information receiving unit 62 so as to read one or more anonymous order information corresponding to the input “one or more past order IDs” from the store apparatus 20. The function and the purchaser identity proof device 50 share "the past one or more order IDs" and "the purchaser identity certification secret information corresponding to the one or more order IDs" A function of receiving a request including “zero knowledge proof information of knowing” and one or more purchaser identity verifications included in one or more anonymous order information in the verification storage device 61 upon receiving this request A function for verifying zero knowledge proof information based on the information for use, and a function for accepting a request when the verification result of the zero knowledge proof information is valid.

Next, the operation of the anonymous order system configured as described above will be described.
(Initial setting: Fig. 22)
Now, similarly to the above, it is assumed that steps ST1 to ST15 are executed and the purchaser device 30 stores the member certificate σ _A in the purchaser storage device 31.

  Thereafter, in the purchaser device 30, the purchaser identity proof secret information generation unit 38 ′ generates the purchaser identity proof secret information x ′ and purchases the purchaser identity proof secret information x ′. To the person identity verification device 50 (ST16). The purchaser identity proof device 50 writes and stores the purchaser identity proof secret information x 'in the purchaser identity proof secret information storage device 51 (ST17).

  Further, in the purchaser device 30, the purchaser identity proof secret information generation unit 38 ′ calculates a secret calculation value g ^ x ′ using the purchaser identity proof secret information x ′ as a power index, and this secret calculation value g ^ x 'is written in the purchaser storage device 31 (ST18).

  The purchaser device 30 and the purchaser identity proof device 50 need only perform the added processing after step ST16 once at the time of member registration (initial setting). The purchaser can use the secret calculation value g ^ x 'and the purchaser's identity certification secret information x' stored at the time of initial setting to perform subsequent anonymous orders and product receipts any number of times.

(Anonymous order / delivery / settlement: FIG. 23)
Now, it is assumed that steps ST21 to ST22 are executed as described above.

  Next, in the purchaser device 30, when generating anonymous order information, the anonymous order information generation unit 35 reads the secret calculated value g ^ x ′ from the purchaser storage device 31.

  Subsequently, the anonymous order generation unit 35 individually purchases the identity verification information m5 = (h, y) = (g ^ r, h) based on the secret calculated value g ^ x ′, the random number r, and the base g. ^ x ') (where y = h ^ x' = (g ^ x ') ^ r).

  The anonymous order information generating unit 35 generates anonymous order information including the purchaser identity verification information m5 in the message m (ST23). At this time, the anonymous order information generating unit 35 generates the anonymous order information so as to include a confidential message EPGM (m4) to the logistics company that specifies the convenience store at the place of receiving the goods by the purchaser's operation. .

  Thereafter, the anonymous order information generating unit 35 transmits the anonymous order information to the store apparatus 20 via the anonymous order unit 34 (ST24). Further, the anonymous order information generation unit 35 writes the anonymous order information in the purchaser storage device 31 together with m1, m2, m3, m4, and PSP.

Upon receiving the anonymous order information, the dealer apparatus 20 executes steps ST25 to ST27 as described above. As a result, when the order information and the anonymous order information are stored in the store storage device 31, a purchaser identity verification process described later becomes possible.
The delivery / settlement processing in the following steps ST28 to ST34 is executed in the same manner as described above except that the delivery destination of the product in step ST32 ′ is a convenience store. This delivery destination is designated by the confidential message EPGM (m4) in step ST23.

(Purchaser identity verification processing: FIG. 24)
It is assumed that the purchaser wants to make a request regarding the past order to the store apparatus 20 after the above-described step ST27.

  The purchaser goes to the convenience store where the product is received, and requests the store clerk to input a verification start request including one or more past order IDs.

  When there is one order ID, the same processing as ST51 and subsequent steps in the second embodiment may be performed, and in the case of three or more, it can be easily expanded from two cases. Will be described.

  In the purchaser identity verification device 60, when a verification start request including the past two order IDs is input by the operation of the store clerk (ST51 ′), the purchaser identity verification unit 29 reads “two orders. The anonymous order information receiving unit 62 is controlled to read the two anonymous order information corresponding to “ID”.

  The anonymous order information receiving unit 62 transmits a transmission request including two order IDs corresponding to the two anonymous order information to the store apparatus 20 (ST52'-1).

  In the store apparatus 20, when the anonymous order information transmission unit 71 receives a request including two order IDs, it verifies whether each order ID is in the order reception list of the store storage device 21. As a result of this verification, when there is a corresponding order ID, the anonymous order information transmitting unit 71 reads two anonymous order information corresponding to the two order IDs from the store storage device 21 and receives the anonymous order information. Transmit to unit 62 (ST52'-2).

  The anonymous order information receiving unit 62 writes these two anonymous order information in the verification storage device 61. The purchaser identity verification unit 29 extracts purchaser identity verification information m5 = (h, y), m5 ′ = (h ′, y ′) from the two anonymous order information in the verification storage device 61, respectively. . Further, the purchaser identity verification unit 29 generates a message m6 including the random number a. Thereafter, the purchaser identity verification unit 29 transmits the purchaser identity verification information m5, m5 'and the message m6 to the purchaser identity verification device 50.

  Upon receiving purchaser identity verification information m5, m5 'and message m6, purchaser identity verification device 50 calculates zero knowledge verification information w, s ε Z as described above (ST53). This zero knowledge proof (w, s) indicates that the discrete logarithm x 'of y with respect to the base h is the same as the discrete logarithm x' of y 'with respect to the base h'.

w = H (y‖y'‖h‖h'‖h ^ t‖h '^ t‖m6)
s = t − wx '
Thereafter, the purchaser identity verification unit 39 transmits a request including two order IDs and zero knowledge verification information (w, s) to the purchaser identity verification device 60 (ST54).

  When the purchaser identity verification apparatus 60 receives a request including two order IDs and zero knowledge proof information (w, s), the purchaser identity verification information in the anonymous order information related to the order ID is received. Based on the message m6 including m5, m5 ′, the received zero knowledge proof information (w, s) and the random number a, it is further verified whether or not the following verification expression holds (ST55).

w = H (y‖y'‖h‖h'‖h ^ s ・ y ^ w‖h '^ s ・ y' ^ w‖m6)
As a result of this verification, if the verification formula is established, the verification result “valid” is returned to the purchaser identity proving apparatus 50 (ST56; valid), and the request is accepted. Note that the processing according to the received request is executed in the same manner as described above. Further, when the received request is a product receipt request, the store clerk delivers the corresponding product to the purchaser.

  As described above, according to the present embodiment, the application of anonymous orders is expanded in addition to the effects of the third embodiment by the configuration in which only the purchaser identity proof function and the verification function are separated from other functions. In addition, security can be improved.

  For example, the product is anonymously ordered from the purchaser device 30 via the Internet, and the product is received only by the purchaser identity proof device 60 indicating the identity of the purchaser at the store (impossible with the conventional anonymous order) Since a new service becomes possible, the application destination of anonymous orders can be expanded.

  Further, since the purchaser device 30 and the purchaser identity proof device 60 are separated on the purchaser side, even if any of the devices 30 and 60 is used illegally, the purchaser device 30 and the purchaser identity verification device 60 are not authorized. Unauthorized receipt can be prevented. For example, even if an illegal order is made by illegal analysis and use of the purchaser device 30, the product cannot be received without the purchaser identity verification device 60. On the other hand, even if the purchaser identity proof device 60 is lost or stolen, it is not possible to order a product without the purchaser device 30. That is, as long as both devices 30 and 60 are not illegally used, it is possible to prevent illegal receipt due to an illegal order of goods.

  Further, at the store side, the function of accepting anonymous orders on the Internet and the function of confirming the purchaser at the store are separated from each other, so that it can be expected to improve security and reduce management costs.

<Modification of Fourth Embodiment>
<4-1> In order to send and receive anonymous order information between the store apparatus 20 and the purchaser identity verification apparatus 60, it is not always necessary to communicate online, and anonymous order information is provided together with the product. Means such as delivery may be used.

  Specifically, as shown in FIG. 25, a configuration (anonymous order information transmission unit 71, network 46, and anonymous order information) for transmitting and receiving anonymous order information between the store apparatus 20 and the purchaser identity verification apparatus 60 The receiving unit 61) may be modified so as to be omitted.

  In this modified example, as shown in steps ST28 ′ and ST32 ′ of FIG. 26, the “storage medium storing anonymous order information together with the merchandise” is stored in the convenience store from the store apparatus 20 via the logistics company apparatus 10. Delivered to.

  At the convenience store side, after step ST51 ', the anonymous order information is read from the storage medium, so that the processing from step ST52' can be executed as described above.

  This modification <4-1> can be similarly applied to all the following modifications by omitting the anonymous order information transmitting unit 71, the network 46, and the anonymous order information receiving unit 61.

  <4-2> Although the application example to the third embodiment has been described above, the fourth embodiment can also be applied to the first and second embodiments. In that case, it is necessary to put information (for example, order ID) at the time of order into the purchaser identity verification device 50.

  <4-2> <1> For example, when applied to the second embodiment, as shown in FIG. 27, the purchaser identity verification apparatus 50 uses the secret information writing process in the configuration shown in FIG. The unit 52 is further provided. The purchaser apparatus 30 further includes a secret information write request unit 81 in the configuration shown in FIG.

  Here, when the secret information write processing unit 52 receives the order ID and the purchaser identity certification secret information x ′ received from the secret information write request unit 81 via the communication path 46, as shown in FIG. In addition, the order ID and the purchaser's identity proof secret information x ′ are associated with each other and written into the purchaser's identity proof secret information storage device 51.

  The secret information write request unit 81 has a function of transmitting the order ID and the purchaser identity certification secret information x ′ to the secret information write processing unit 52 for each anonymous order.

  Accordingly, in the anonymous order process, every time an order is placed, the purchaser device 30 and the purchaser identity verification device 50 communicate securely, and as shown in FIG. 28 and FIG. Are added to the purchaser identity certification secret information storage device 51 in association with each other (ST27'-1, ST27'-2). For this reason, the purchaser identity proving apparatus 50 is also required at the time of ordering. Although the purchaser identity proof device 50 is different for each order, it is desirable that the purchaser identity proof device 50 has tamper resistance because it reads the buyer identity proof secret information x '.

  In the purchaser identity verification process, as shown in FIG. 30, the purchaser identity verification device 50 sends a “verification start request including order ID” to the purchaser identity verification device 60 in step ST51 ′. After the input, the processing after step ST52 "-1 is executed as described above.

  <4-2> of <4-2> On the other hand, when applied to the first embodiment, as shown in FIG. 31, the purchaser identity proving apparatus 50 has the purchaser identity in the configuration shown in FIG. Instead of the proof secret information storage device 51, a password storage device 51 ′ is provided, and a password writing processing unit 52 ′ is further provided. The purchaser apparatus 30 further includes a password writing request unit 81 'in the configuration shown in FIG.

  Here, when the password writing processing unit 52 ′ receives the order ID and password PW from the password writing request unit 81 ′ via the communication path 46, the order ID and password PW are associated with each other as shown in FIG. And has a function of writing to the password storage device 51 ′.

  The password writing request unit 81 ′ has a function of transmitting the order ID and the password PW to the password writing processing unit 52 ′ for each anonymous order.

  Accordingly, in the anonymous order process, every time an order is placed, the purchaser device 30 and the purchaser identity verification device 50 communicate securely, and as shown in FIG. 32 and FIG. The password PW and the order ID are associated with each other and written into the password storage device 51 ′ (ST27 ″ -1, ST27 ″ -2). For this reason, the purchaser identity proving apparatus 50 is also required at the time of ordering. Although the purchaser identity proving apparatus 50 is different for each order, it is desirable to have tamper resistance because it reads the password PW.

  In the purchaser identity verification process, as shown in FIG. 34, when purchaser identity verification device 50 inputs “request including order ID and password” to purchaser identity verification device 60 (ST41). "), The purchaser identity verification device 60 transmits a password transmission request including the order ID to the store device 20 (ST42" -1), and if there is a corresponding order ID, it corresponds from the store device 20. A password is received (ST42 "-2).

  Thereafter, the purchaser identity verification device 60 verifies whether or not both passwords match, and if they match, returns a verification result “valid” to the purchaser identity certification device 50 (ST43 ”; valid) Accept the request.

On the other hand, if the two passwords PW do not match as a result of the verification in step ST42 ", the verification result" illegal "is returned to the purchaser identity proving apparatus 50 (ST43"; illegal).
<4-3> When the processing capability of the purchaser identity proof device 50 is low or when there is no calculation capability (for example, a memory card, etc.), the calculation cannot be performed in the purchaser identity proof device 50. In this case, the purchaser identity proof secret information x ′ may be read from the purchaser identity proof device 50 and the proof / verification process may be performed in the purchaser identity verification device 60. In this case, however, security measures such as securing the communication channel for reading and making the purchaser identity verification device 60 tamper resistant should be taken so that the confidential information x ′ for purchase identity verification is not leaked. Is preferred.

  Specifically, as shown in FIG. 35, the purchaser identity proof device 50 includes a secret information read response unit 53 instead of the purchaser identity proof unit 39 shown in FIG. Further, the purchaser identity verification apparatus 60 further includes a secret information read request unit 63 in the configuration shown in FIG.

  Here, in response to the transmission request received from the secret information read request unit 63, the secret information read response unit 53 converts the purchaser identity certification secret information x ′ in the purchaser identity certification secret information storage device 61 into the secret information. This is transmitted to the read request unit 63.

  The secret information read request unit 63 is controlled by the purchaser identity verification unit 29 to transmit a request for transmitting the purchaser identity certification secret information x ′ to the secret information read response unit 53, and a secret information read response unit And a function for sending the purchaser identity verification secret information x ′ received from the customer identity verification unit 29 to the purchaser identity verification unit 29.

  Accordingly, in the purchaser identity verification process, as shown in FIG. 36, steps ST51 ′ to ST52′-2 are executed as described above, and one or more anonymous order information is stored in the verification storage device 61. Write. The purchaser identity verification unit 29 extracts purchaser identity verification information from each anonymous order information in the verification storage device 61.

  Thereafter, the purchaser identity verification device 60 transmits a request for transmitting confidential information to the purchaser identity verification device 50 (ST52 ″ -3).

  In response to this transmission request, the purchaser identity verification device 50 sends the purchaser identity verification secret information x ′ in the purchaser identity verification secret information storage device 61 to the purchaser identity verification device 60. Transmit (ST52 "-4).

  After that, the purchaser identity verification apparatus 60 determines that y = h ^ x 'holds for each anonymous order information m5 = (h, y) based on the purchaser identity certification secret information x'. Is verified (ST53).

  Thereafter, similarly to the above, the processing after step ST56 is executed according to the verification result.

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a schematic diagram which shows the structure of the anonymous order system which concerns on the 1st Embodiment of this invention. It is a schematic diagram which shows the structure of the storage apparatus for logistics companies in the same embodiment. It is a schematic diagram which shows the structure of the store memory device in the embodiment. It is a schematic diagram for demonstrating order information etc. in the embodiment. It is a schematic diagram which shows the structure of the memory | storage device for purchasers in the embodiment. It is a schematic diagram for demonstrating the anonymous order information etc. in the embodiment. FIG. 7 is a sequence diagram for explaining an initial setting operation in the embodiment. It is a sequence diagram for demonstrating the operation | movement of the anonymous order / delivery / settlement in the embodiment. It is a schematic diagram for demonstrating in detail the operation | movement of the anonymous order in the same embodiment. It is a schematic diagram for demonstrating the verification process of the anonymous order in the embodiment. It is a sequence diagram for demonstrating operation | movement of the purchaser identity verification process in the embodiment. It is a schematic diagram which shows the structure of the anonymous order system which concerns on the 2nd Embodiment of this invention. It is a schematic diagram which shows the structure of the store memory device in the embodiment. It is a schematic diagram for demonstrating the anonymous order information etc. in the embodiment. It is a schematic diagram which shows the structure of the memory | storage device for purchasers in the embodiment. It is a sequence diagram for demonstrating the operation | movement of the anonymous order / delivery / settlement in the embodiment. It is a schematic diagram for demonstrating the verification process of the anonymous order in the embodiment. It is a sequence diagram for demonstrating operation | movement of the purchaser identity verification process in the embodiment. It is a schematic diagram which shows the structure of the anonymous order system which concerns on the 4th Embodiment of this invention. It is a schematic diagram which shows the structure of the memory | storage device for purchasers in the embodiment. It is a schematic diagram which shows the structure of the secret information storage device for purchaser identity verification in the embodiment. FIG. 7 is a sequence diagram for explaining an initial setting operation in the embodiment. It is a sequence diagram for demonstrating the operation | movement of the anonymous order / delivery / settlement in the embodiment. It is a sequence diagram for demonstrating operation | movement of the purchaser identity verification process in the embodiment. It is a schematic diagram which shows the structure of the anonymous order system which concerns on the 1st modification of the embodiment. It is a sequence diagram for demonstrating operation | movement of the purchaser identity verification process of the modification. It is a schematic diagram which shows the structure of the anonymous order system which concerns on the 2nd modification in the 4th Embodiment of this invention. It is a schematic diagram which shows the structure of the secret information storage device for purchaser identity proof of the modification. It is a sequence diagram for demonstrating operation | movement of the anonymous order / delivery / settlement of the modification. It is a sequence diagram for demonstrating operation | movement of the purchaser identity verification process of the modification. It is a schematic diagram which shows the structure of the other anonymous order system of the modification. It is a schematic diagram which shows the structure of the secret information storage device for other purchaser identity proofs of the modification. It is a sequence diagram for demonstrating operation | movement of the other anonymous order / delivery / settlement of the modification. It is a sequence diagram for demonstrating operation | movement of the other purchaser identity verification process of the modification. It is a schematic diagram which shows the structure of the anonymous order system which concerns on the 3rd modification in the 4th Embodiment of this invention. It is a sequence diagram for demonstrating operation | movement of the purchaser identity verification process of the modification.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Logistics company apparatus, 11 ... Logistics company storage device, 12 ... Initial setting part, 13 ... Dealer registration part, 14 ... Purchaser registration part, 15 ... Settlement processing part, 16 ... Order verification part, 17 ... Purchaser 18: Market information generation unit, 20 ... Store device, 21 ... Store storage device, 22, 32 ... Registration request unit, 23 ... Order reception unit, 24 ... Order information generation unit, 25 ... Order verification unit 26 ... Settlement request unit, 27 ... Password generation unit, 28, 29 ... Purchaser identity verification unit, 30 ... Purchaser device, 31 ... Purchaser storage device, 33 ... Product selection unit, 34 ... Anonymous ordering unit, 35 ... Anonymous order information generation unit, 36 ... Order confirmation unit, 37, 39 ... Purchaser identity certification unit, 38 ... Buyer identity certification secret information generation unit, 41-47 ... Network, 50 ... Purchaser identity Proof device, 51. Secret information for purchaser identity proof Storage device, 51 '... Password storage device, 52 ... Secret information write processing unit, 52' ... Password write processing unit, 53 ... Secret information read response unit, 60 ... Purchaser identity verification device, 61 ... Verification Storage device 62... Anonymous order information receiving unit 63. Secret information reading requesting unit 71 71 Anonymous order information transmitting unit 81. Secret information writing requesting unit 81 ′ Password writing requesting unit

Claims (18)

Used for a retailer apparatus capable of communicating with both an administrator apparatus that can settle a purchaser's anonymous order by a group signature system having a tracking function and a purchaser apparatus that performs an anonymous order for sale by the group signature system An anonymous ordering program,
A computer of the store apparatus;
“Anonymous order information including order ID and group signature” received from the purchaser device in the past and a password issued corresponding to this anonymous order information are stored in association with each other in the storage device of the computer of the store device. Storage means,
An order ID issuing means for issuing an order ID based on the sales target specifying information received from the purchaser device of the purchaser and transmitting the order ID to the purchaser device;
Signature verification means for verifying the group signature upon receiving anonymous order information including the order ID and group signature from the purchaser device;
When the verification result of the group signature is valid, a password issuance means for issuing a password corresponding to the current anonymous order information and storing the current anonymous order information and password in the storage device,
Password transmitting means for transmitting the issued password to the purchaser device;
Anonymous order transmission means for transmitting anonymous order information to the manager device,
Upon receiving a request including a past order ID and password from the purchaser device, password verification means for verifying the order ID and password with reference to the storage device;
Request acceptance means for accepting the request when the verification result of the order ID and password is valid;
Program for anonymous ordering to function as. Used for a purchaser device that can communicate with both an administrator device that can settle a purchaser's anonymous order by a group signature method having a tracking function and a store device that receives an anonymous order to be sold by the group signature method An anonymous ordering program,
A computer of the purchaser device;
Storage means for storing past anonymous order information and password in association with each other in the storage device of the computer of the purchaser device,
Anonymous order generation means for generating anonymous order information including the order ID and group signature when receiving an order ID from the store apparatus by the purchaser's operation;
Anonymous order transmission means for transmitting the obtained anonymous order information to the store apparatus,
Password writing means for writing the password received from the store apparatus in response to this transmission to the storage device in association with the anonymous order information of this time,
Request generation means for generating a request including an order ID and a password in the storage device by an operation of the purchaser;
Request transmitting means for transmitting the obtained request to the store apparatus;
Program for anonymous ordering to function as. Used for a retailer apparatus capable of communicating with both an administrator apparatus that can settle a purchaser's anonymous order by a group signature system having a tracking function and a purchaser apparatus that performs an anonymous order for sale by the group signature system An anonymous ordering program,
A computer of the store apparatus;
In the past, the purchaser identity verification secret information corresponding to the order ID, the purchaser identity verification information corresponding to the order ID and generated based on the purchaser identity verification secret information that cannot be guessed, And after the group signature based on the order ID and the purchaser identity verification information is generated by the purchaser device, from the purchaser device, “the order ID, the purchaser identity verification information and the group signature are included. Storage means for storing the anonymous order information in the storage device of the computer of the store apparatus when the "anonymous order information" is received (however, the confidential information for purchase identity proof that cannot be guessed is the same as the purchaser) The secret information for sex proof itself cannot be inferred from the administrator device and the store device, and is also inferred from the administrator device and the store device based on the purchaser identity verification information. The information is available),
An order ID issuing means for issuing an order ID based on the sales target specifying information received from the purchaser device of the purchaser and transmitting the order ID to the purchaser device;
Signature verification means for verifying the group signature when receiving the order ID, the purchaser identity verification information and the anonymous order information including the group signature from the purchaser device;
When the verification result of the group signature is valid, anonymous order information writing means for writing the current anonymous order information to the storage device,
Anonymous order transmission means for transmitting anonymous order information to the manager device,
When a request including “past order ID” and “zero knowledge proof information that the secret information for purchaser identity certification corresponding to this order ID is known” is received from the purchaser device, it is related to the order ID. Retrieval means for retrieving purchaser identity verification information from the storage device,
Zero knowledge verification means for verifying the zero knowledge proof information based on the retrieved purchaser identity verification information;
A request receiving means for receiving the request when the verification result of the zero knowledge proof information is valid;
Program for anonymous ordering to function as. Used for a purchaser device that can communicate with both an administrator device that can settle a purchaser's anonymous order by a group signature method having a tracking function and a store device that receives an anonymous order to be sold by the group signature method An anonymous ordering program,
A computer of the purchaser device;
Previous “anonymized order information including purchase order identity verification information and group signature generated based on order ID, confidential information for purchase identity verification corresponding to order ID and cannot be guessed” and “the purchaser” Storage means for storing “identity proof secret information” in association with a storage device of a computer of the purchaser device (however, the unidentifiable purchaser identity proof secret information is for purchaser identity proof) (The secret information itself is information that cannot be inferred from the administrator device and the store device, and that cannot be inferred from the administrator device and the store device even based on the purchaser identity verification information) ,
Anonymous order generation means for generating anonymous order information including the order ID, purchaser identity verification information, and group signature when receiving an order ID from the store apparatus by the purchaser's operation;
Anonymous order transmission means for transmitting the obtained anonymous order information to the store apparatus,
Search means for retrieving, from the storage device, purchaser identity proof secret information related to a past order ID by the purchaser's operation;
Zero knowledge proof generating means for generating zero knowledge proof information indicating that the buyer identity proof secret information corresponding to the order ID is known;
Request generation means for generating a request including the order ID and the zero knowledge proof information by the operation of the purchaser;
Request transmitting means for transmitting the obtained request to the store apparatus;
Program for anonymous ordering to function as. Used for a retailer apparatus capable of communicating with both an administrator apparatus that can settle a purchaser's anonymous order by a group signature system having a tracking function and a purchaser apparatus that performs an anonymous order for sale by the group signature system An anonymous ordering program,
A computer of the store apparatus;
Buyer identity verification secret information generated based on common purchaser identity certification secret information that is not related to the order ID, and that corresponds to this order ID and cannot be guessed Information, and a group signature based on the order ID and the purchaser identity verification information is generated by the purchaser device, and the purchaser device receives "the order ID, the purchaser identity verification information and the group" Storage means for storing the anonymous order information in a storage device of a computer of the store apparatus when the anonymous order information including the signature is received (however, the confidential information for purchaser identity proof that cannot be guessed is The purchaser identity proof secret information itself cannot be inferred from the administrator device and the store device, and the administrator device and the store device are based on the purchaser identity verification information. The information is a guess not),
An order ID issuing means for issuing an order ID based on the sales target specifying information received from the purchaser device of the purchaser and transmitting the order ID to the purchaser device;
Signature verification means for verifying the group signature when receiving the order ID, the purchaser identity verification information and the anonymous order information including the group signature from the purchaser device;
When the verification result of the group signature is valid, anonymous order information writing means for writing the current anonymous order information to the storage device,
Anonymous order transmission means for transmitting anonymous order information to the manager device,
Zero knowledge proof that the buyer's device has the same “one or more past order IDs” and “the buyer identity verification secret information corresponding to the one or more order IDs is common and knows it. Retrieval means for retrieving one or more purchaser identity verification information related to the one or more order IDs from the storage device upon receiving a request including "information";
Zero knowledge verification means for verifying the zero knowledge proof information based on the one or more pieces of buyer identity verification information searched;
A request receiving means for receiving the request when the verification result of the zero knowledge proof information is valid;
Program for anonymous ordering to function as. Used for a purchaser device that can communicate with both an administrator device that can settle a purchaser's anonymous order by a group signature method having a tracking function and a store device that receives an anonymous order to be sold by the group signature method An anonymous ordering program,
A computer of the purchaser device;
Previous “anonymized order information including purchase order identity verification information and group signature generated based on order ID, confidential information for purchase identity verification corresponding to order ID and cannot be guessed” and “the purchaser” Storage means for storing “identity proof secret information” in association with a storage device of a computer of the purchaser device (however, the unidentifiable purchaser identity proof secret information is for purchaser identity proof) (The secret information itself is information that cannot be inferred from the administrator device and the store device, and that cannot be inferred from the administrator device and the store device even based on the purchaser identity verification information) ,
Anonymous order generation means for generating anonymous order information including the order ID, purchaser identity verification information, and group signature when receiving an order ID from the store apparatus by the purchaser's operation;
Anonymous order transmission means for transmitting the obtained anonymous order information to the store apparatus,
Search means for retrieving, from the storage device, common purchaser identity certification secret information related to one or more past order IDs by the purchaser's operation;
Based on the retrieved buyer identity proof secret information, zero knowledge proof generating means for generating zero knowledge proof information that the buyer identity proof secret information is common and known. ,
Request generation means for generating a request including the one or more order IDs and the zero knowledge proof information by the purchaser's operation;
Request transmitting means for transmitting the obtained request to the store apparatus;
Program for anonymous ordering to function as. It is a store apparatus that can communicate with both an administrator apparatus that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a purchaser apparatus that performs an anonymous order for sale by the group signature method. And
A storage device for storing “anonymous order information including an order ID and group signature” received from a purchaser device in the past and a password issued corresponding to the anonymous order information in association with each other;
Order ID issuing means for issuing an order ID based on the sales target specifying information received from the purchaser device of the purchaser, and transmitting the order ID to the purchaser device;
Upon receiving anonymous order information including the order ID and group signature from the purchaser device, signature verification means for verifying the group signature;
When the verification result of the group signature is valid, a password issuance unit that issues a password corresponding to the current anonymous order information, and stores the current anonymous order information and password in the storage device;
Password transmitting means for transmitting the issued password to the purchaser device;
Anonymous order transmission means for transmitting anonymous order information to the manager device;
Upon receiving a request including a past order ID and password from the purchaser device, password verification means for verifying the order ID and password with reference to the storage device;
And a request receiving means for receiving the request when the verification result of the order ID and password is valid. A purchaser device capable of communicating with both an administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a store device that receives an anonymous order to be sold by the group signature method. And
A storage device for storing past anonymous order information and passwords;
When receiving an order ID from the store apparatus by the purchaser's operation, anonymous order generating means for generating anonymous order information including the order ID and a group signature;
Anonymous order transmission means for transmitting the obtained anonymous order information to the store apparatus;
A password writing means for writing the password received from the store apparatus in response to this transmission into the storage device in association with the anonymous order information of this time;
Request generation means for generating a request including an order ID and a password in the storage device by an operation of the purchaser;
A purchaser device comprising: request transmission means for transmitting the obtained request to the store device. It is a store apparatus that can communicate with both an administrator apparatus that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a purchaser apparatus that performs an anonymous order for sale by the group signature method. And
In the past, the purchaser identity verification secret information corresponding to the order ID, the purchaser identity verification information corresponding to the order ID and generated based on the purchaser identity verification secret information that cannot be guessed, And after the group signature based on the order ID and the purchaser identity verification information is generated by the purchaser device, from the purchaser device, “the order ID, the purchaser identity verification information and the group signature are included. A storage device that stores the anonymous order information when the anonymous order information is received (however, the purchaser identity certification secret information that cannot be estimated is the purchaser identity certification secret information itself) And information that cannot be inferred from the manager device and the store apparatus even based on the purchaser identity verification information).
Order ID issuing means for issuing an order ID based on the sales target specifying information received from the purchaser device of the purchaser, and transmitting the order ID to the purchaser device;
Upon receiving anonymous order information including the order ID, purchaser identity verification information and group signature from the purchaser device, signature verification means for verifying the group signature;
When the verification result of the group signature is valid, anonymous order information writing means for writing the current anonymous order information to the storage device;
Anonymous order transmission means for transmitting anonymous order information to the manager device;
When a request including “past order ID” and “zero knowledge proof information that the secret information for purchaser identity certification corresponding to this order ID is known” is received from the purchaser device, it is related to the order ID. Retrieval means for retrieving purchaser identity verification information from the storage device;
Zero knowledge verification means for verifying the zero knowledge proof information based on the retrieved purchaser identity verification information;
And a request receiving means for receiving the request when the verification result of the zero knowledge proof information is valid. A purchaser device capable of communicating with both an administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a store device that receives an anonymous order to be sold by the group signature method. And
Previous “anonymized order information including purchase order identity verification information and group signature generated based on order ID, confidential information for purchase identity verification corresponding to order ID and cannot be guessed” and “the purchaser” A storage device that stores the “identity proof secret information” in association with each other (however, the purchaser identity proof secret information that cannot be estimated is the purchaser identity proof secret information itself). It is information that cannot be inferred from the dealer apparatus and cannot be inferred from the manager apparatus and the dealer apparatus even based on the purchaser identity verification information).
When receiving an order ID from the store apparatus by the purchaser's operation, an anonymous order generating means for generating anonymous order information including the order ID, purchaser identity verification information, and a group signature;
Anonymous order transmission means for transmitting the obtained anonymous order information to the store apparatus;
Search means for searching for confidential information for purchaser identity certification related to a past order ID from the storage device by the purchaser's operation;
Zero knowledge proof generating means for generating zero knowledge proof information for knowing the buyer identity proof secret information corresponding to the order ID;
Request generation means for generating a request including the order ID and the zero knowledge certification information by the purchaser's operation;
A purchaser device comprising: request transmission means for transmitting the obtained request to the store device. It is a store apparatus that can communicate with both an administrator apparatus that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a purchaser apparatus that performs an anonymous order for sale by the group signature method. And
Buyer identity verification secret information generated based on common purchaser identity certification secret information that is not related to the order ID, and that corresponds to this order ID and cannot be guessed Information, and a group signature based on the order ID and the purchaser identity verification information is generated by the purchaser device, and the purchaser device receives "the order ID, the purchaser identity verification information and the group" When receiving "anonymous order information including a signature", a storage device for storing the anonymous order information (however, the unidentifiable purchaser identity proof secret information is the purchaser identity proof secret information itself) It is information that cannot be inferred from the administrator device and the store device, and cannot be estimated from the administrator device and the store device even based on the purchaser identity verification information).
Order ID issuing means for issuing an order ID based on the sales target specifying information received from the purchaser device of the purchaser, and transmitting the order ID to the purchaser device;
Upon receiving anonymous order information including the order ID, purchaser identity verification information and group signature from the purchaser device, signature verification means for verifying the group signature;
When the verification result of the group signature is valid, anonymous order information writing means for writing the current anonymous order information to the storage device;
Anonymous order transmission means for transmitting anonymous order information to the manager device;
Zero knowledge proof that the buyer's device has the same “one or more past order IDs” and “the buyer identity verification secret information corresponding to the one or more order IDs is common and knows it. When receiving a request including “information”, a search unit that searches the storage device for one or more purchaser identity verification information related to the one or more order IDs;
Zero knowledge verification means for verifying the zero knowledge proof information based on the one or more pieces of buyer identity verification information searched;
And a request receiving means for receiving the request when the verification result of the zero knowledge proof information is valid. A purchaser device capable of communicating with both an administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function and a store device that receives an anonymous order to be sold by the group signature method. And
Past “anonymized order information including purchase order identity verification information and group signature generated based on purchase identity verification secret information that corresponds to order ID and order ID and cannot be guessed” and “order ID And a storage device for storing the purchaser identity verification confidential information used in generating the purchaser identity verification information in association with each other (however, the unidentifiable purchaser identity verification secret information is The confidential information for purchaser identity proof itself cannot be inferred from the administrator device and the store device, and even from the administrator device and the store device based on the purchaser identity verification information. Information that cannot be guessed)
When receiving an order ID from the store apparatus by the purchaser's operation, an anonymous order generating means for generating anonymous order information including the order ID, purchaser identity verification information, and a group signature;
Anonymous order transmission means for transmitting the obtained anonymous order information to the store apparatus;
Search means for searching for common purchaser identity proof secret information related to one or more previous order IDs from the storage device by the purchaser's operation;
Based on the retrieved buyer identity proof secret information, zero knowledge proof generating means for generating zero knowledge proof information that the buyer identity proof secret information is common and known. When,
Request generation means for generating a request including the one or more order IDs and the zero knowledge proof information by the purchaser's operation;
A purchaser device comprising: request transmission means for transmitting the obtained request to the store device. Write from the buyer device that can communicate with both the administrator device that can settle the purchaser's anonymous order by the group signature method having a tracking function and the store device that receives the anonymous order to be sold by the group signature method A program used for a purchaser identity proof device that holds confidential information for purchaser identity proof,
A computer of the purchaser proof device;
Secret information writing means for writing the purchaser identity certification secret information input from the purchaser device at the time of initial setting to a storage device of the computer;
When the purchaser device receives the order ID from the store device, the purchaser identity verification information generated based on the purchaser identity secret information that corresponds to the order ID and the order ID and cannot be guessed And the anonymous order information including the group signature is generated by the purchaser device based on the “secret calculation value calculated and retained from the purchaser identity certification secret information at the time of initial setting” (however, the purchase that cannot be guessed) The confidential information for proof of identity of the purchaser cannot be inferred from the administrator device and the store device itself, and the management information is also based on the purchaser identity verification information. Information that cannot be inferred from the seller device and the store device), and after the purchaser device transmits the generated anonymous order information to the store device, it is used independently of the purchaser device. , Based on the purchaser identity proof secret information in the storage device, the purchaser identity proof secret information related to one or more previous order IDs is common and zero. Zero knowledge proof generation means for generating knowledge proof information,
Request generation means for generating a request including the one or more order IDs and the zero knowledge certification information;
A request transmission means for transmitting the obtained request to “a purchaser identity verification apparatus capable of acquiring anonymous order information from the store apparatus”;
Program to function as. An administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function, a store device that receives an anonymous order to be sold by the group signature method, and a purchase for collecting the anonymous ordered sales object The purchaser identity proof device is capable of communicating with the purchaser identity proof device based on the pre-stored purchaser identity proof secret information upon receipt of the sales target. A request for generating zero knowledge proof information that the secret information for purchaser identity proof related to the order ID is common and knowing the same, and including the one or more order IDs and the zero knowledge proof information Is transmitted to the “buyer identity verification device capable of acquiring anonymous order information from the store device”, the buyer identity verification secret information is stored in the purchaser at the initial setting. A program writable purchaser apparatus unit for one proof,
A computer of the purchaser device;
Means for generating secret information for purchaser identity proof at the time of the initial setting, and calculating a secret calculation value from the secret information for buyer identity proof,
Means for writing the generated secret information for purchaser identity verification to the purchaser identity verification device while writing the calculated secret calculation value to a storage device of the computer;
Upon receiving an order ID from the store apparatus through the purchaser's operation, anonymous order information including the order ID, purchaser identity verification information, and group signature is generated based on the secret calculation value in the storage device Anonymous order generation means,
Anonymous order transmission means for transmitting the obtained anonymous order information to the store apparatus,
Program to function as. With respect to a retailer apparatus capable of communicating with both an administrator apparatus that can settle an anonymous order of a purchaser by a group signature method having a tracking function, and a purchaser apparatus that performs an anonymous order for sale by the group signature method, In the past, this store apparatus has the same purchaser identity secret information that is generated based on the purchaser identity certification secret information corresponding to the order ID and the purchase identity identity secret information that corresponds to the order ID and cannot be guessed. After the group signature based on the verification information and the order ID and the purchaser identity verification information is generated by the purchaser device (however, the unidentifiable purchaser identity verification secret information The secret information for the person identity proof itself cannot be inferred from the administrator device and the store device, and the administrator device and the store device are based on the purchaser identity verification information. When the “anonymous order information including the order ID, the purchaser identity verification information and the group signature” is received from the purchaser device, the anonymous order information is stored, and the purchaser's An order ID is issued based on the sales target specifying information received from the purchaser apparatus, the order ID is transmitted to the purchaser apparatus, and the order ID, purchaser identity verification information and group signature are transmitted from the purchaser apparatus. When the anonymous order information is received, the group signature is verified, and when the verification result is valid, the current anonymous order information is stored, while the anonymous order information is transmitted to the manager device, It is a program used for a purchaser identity verification device that can obtain anonymous order information from a store device,
A computer of the purchaser identity verification device;
One item corresponding to the “one or more past order IDs” input after the anonymous order, with respect to the purchaser identity certification device in which the purchaser certification secret information is written from the purchaser device at the initial setting. Means for reading the above anonymous order information from the store apparatus;
Means for writing one or more anonymous order information read from the store apparatus into a storage device of the computer;
It is known from the purchaser identity proof device that “one or more past order IDs” and “buyer identity proof secret information corresponding to the one or more order IDs are common. Means to receive a request containing `` zero knowledge proof information of
Upon receiving this request, zero knowledge verification means for verifying the zero knowledge proof information based on one or more purchaser identity verification information included in one or more anonymous order information in the storage device,
A request receiving means for receiving the request when the verification result of the zero knowledge proof information is valid;
Program to function as. Write from the buyer device that can communicate with both the administrator device that can settle the purchaser's anonymous order by the group signature method having a tracking function and the store device that receives the anonymous order to be sold by the group signature method A purchaser identity proof device holding confidential information for purchaser identity proof,
A secret information storage device for storing the purchaser identity certification secret information written from the purchaser device at the initial setting;
When the purchaser device receives the order ID from the store device, the purchaser identity verification information generated based on the purchaser identity secret information that corresponds to the order ID and the order ID and cannot be guessed And the anonymous order information including the group signature is generated by the purchaser device based on the “secret calculation value calculated and held from the purchaser identity certification information at the time of initial setting” (however, the purchaser who cannot guess) The identity verification secret information is such that the purchaser identity verification secret information itself cannot be inferred from the administrator device and the store device, and the administrator is also based on the purchaser identity verification information. Device and information that cannot be inferred from the store device), after the purchaser device transmits the generated anonymous order information to the store device, it is used independently of the purchaser device, Said Based on the purchaser identity proof secret information in the secret information storage device, the purchaser identity proof secret information related to one or more past order IDs is common and known. Zero knowledge proof generating means for generating zero knowledge proof information;
Request generating means for generating a request including the one or more order IDs and the zero knowledge certification information;
A purchaser identity verification apparatus comprising: a request transmission unit that transmits the obtained request to a “purchaser identity verification apparatus capable of acquiring anonymous order information from the store apparatus”. An administrator device that can settle an anonymous order of a purchaser by a group signature method having a tracking function, a store device that receives an anonymous order to be sold by the group signature method, and a purchase for collecting the anonymous ordered sales object The purchaser identity proof device is capable of communicating with the purchaser identity proof device based on the pre-stored purchaser identity proof secret information upon receipt of the sales target. A request for generating zero knowledge proof information that the secret information for purchaser identity proof related to the order ID is common and knowing the same, and including the one or more order IDs and the zero knowledge proof information Is transmitted to the “buyer identity verification device capable of acquiring anonymous order information from the store device”, the buyer identity verification secret information is stored in the purchaser at the initial setting. A writable purchaser apparatus to apparatus for one proof,
Secret calculation calculated from past “anonymous order information including order ID, purchaser identity verification information and group signature” and “buyer identity certification secret information corresponding to order ID and generated at initial setting” A storage device that stores values in association with each other;
Means for writing the purchaser identity proof secret information to the purchaser identity proof device during the initial setting, while writing the secret calculation value to the storage device;
Anonymous order generation that generates anonymous order information including the order ID, purchaser identity verification information, and a group signature when receiving an order ID from the store apparatus by the purchaser's operation based on the secret calculation value Means,
A purchaser device comprising: anonymous order transmission means for transmitting the obtained anonymous order information to the store device. With respect to a retailer apparatus capable of communicating with both an administrator apparatus that can settle an anonymous order of a purchaser by a group signature method having a tracking function, and a purchaser apparatus that performs an anonymous order for sale by the group signature method, In the past, this store apparatus has the same purchaser identity secret information that is generated based on the purchaser identity certification secret information corresponding to the order ID and the purchase identity identity secret information that corresponds to the order ID and cannot be guessed. After the group signature based on the verification information and the order ID and the purchaser identity verification information is generated by the purchaser device (however, the unidentifiable purchaser identity verification secret information The secret information for the person identity proof itself cannot be inferred from the administrator device and the store device, and the administrator device and the store device are based on the purchaser identity verification information. When the “anonymous order information including the order ID, the purchaser identity verification information and the group signature” is received from the purchaser device, the anonymous order information is stored, and the purchaser's An order ID is issued based on the sales target specifying information received from the purchaser apparatus, the order ID is transmitted to the purchaser apparatus, and the order ID, purchaser identity verification information and group signature are transmitted from the purchaser apparatus. When the anonymous order information is received, the group signature is verified, and when the verification result is valid, the current anonymous order information is stored, while the anonymous order information is transmitted to the manager device, A purchaser identity verification device that can obtain anonymous order information from a retail store device,
One item corresponding to the “one or more past order IDs” input after the anonymous order, with respect to the purchaser identity certification device in which the purchaser certification secret information is written from the purchaser device at the initial setting. Means for reading the above anonymous order information from the store apparatus;
A storage device for storing one or more anonymous order information read from the store apparatus;
It is known from the purchaser identity proof device that “one or more past order IDs” and “buyer identity proof secret information corresponding to the one or more order IDs are common. Means to receive a request including `` zero knowledge proof information of
Upon receiving this request, zero knowledge verification means for verifying the zero knowledge proof information based on one or more purchaser identity verification information included in one or more anonymous order information in the storage device;
A purchaser identity verification apparatus comprising: a request receiving unit that receives the request when the verification result of the zero knowledge proof information is valid.

Images