[go: up one dir, main page]

WO2025094278A1 - Information processing device, information system, information processing method, and program - Google Patents

Information processing device, information system, information processing method, and program Download PDF

Info

Publication number
WO2025094278A1
WO2025094278A1 PCT/JP2023/039294 JP2023039294W WO2025094278A1 WO 2025094278 A1 WO2025094278 A1 WO 2025094278A1 JP 2023039294 W JP2023039294 W JP 2023039294W WO 2025094278 A1 WO2025094278 A1 WO 2025094278A1
Authority
WO
WIPO (PCT)
Prior art keywords
currency
unit
public key
key
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/JP2023/039294
Other languages
French (fr)
Japanese (ja)
Inventor
哲矢 奥田
和輝 山村
正幸 阿部
尭之 三浦
俊之 宮澤
利徳 福永
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to PCT/JP2023/039294 priority Critical patent/WO2025094278A1/en
Publication of WO2025094278A1 publication Critical patent/WO2025094278A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to an information processing device, an information system, an information processing method, and a program.
  • Patent Document 1 discloses a token-based electronic currency system in which a signature is provided by the issuing bank for each unit of electronic currency, allowing transactions to be completed only between users.
  • currency data including the public key of each user is sent between users to circulate the currency.
  • the public key in the currency data corresponds to a pseudonym, and generally, there is an issue with pseudonym-based methods in that the pseudonym could be used to narrow down individuals.
  • issues are not limited to electronic currency systems, and can also occur in various information systems.
  • issues similar to those in the electronic currency system can occur in information systems that run PKI (Public Key Infrastructure) applications that use signatures to distribute information.
  • Information that is the subject of distribution can be, for example, electronic value, but is not limited to electronic value.
  • the present invention has been made in consideration of the above points, and aims to provide technology for protecting privacy in information systems.
  • an information processing device in an information system in which information in which a plurality of linked pieces of data each having a pair of a public key and a signature are transmitted and received between information processing devices, the information processing device comprising: a key generation unit configured to generate a new pair of public key and private key and obtain a certificate for the newly generated public key after a certain period of time has elapsed since the generation of the pair of public key and private key, or after the generated public key or private key has been used a certain number of times; and an information distribution unit configured to transmit or receive information including the newly generated public key.
  • the disclosed technology provides a technique for protecting privacy in information systems.
  • FIG. 1 is a diagram for explaining issues and solutions regarding privacy protection.
  • FIG. 1 is a diagram for explaining issues and solutions regarding privacy protection.
  • FIG. 1 is a diagram for explaining an NNL tree. 1 is a diagram for explaining a method of applying an NNL tree to currency in this embodiment.
  • FIG. FIG. 1 is a diagram illustrating an example of a system configuration of an electronic currency system.
  • FIG. 2 is a functional configuration diagram of an issuing bank server.
  • FIG. 2 is a functional configuration diagram of a root certificate authority server.
  • FIG. 2 is a functional configuration diagram of a financial institution server.
  • FIG. 2 is a functional configuration diagram of an intermediate certificate authority server.
  • FIG. 2 is a functional configuration diagram of a user terminal.
  • FIG. 2 is a functional configuration diagram of a user terminal.
  • FIG. 1 is a diagram for explaining issues and solutions regarding privacy protection.
  • FIG. 11 is a sequence diagram showing an example of the flow of a currency issuing process.
  • 11 is a flowchart illustrating an example of a procedure for generating a currency ID when issuing currency.
  • FIG. 11 is a sequence diagram showing an example of the flow of a withdrawal process.
  • 13 is a flowchart illustrating an example of a procedure for currency division processing.
  • FIG. 11 is a sequence diagram showing an example of the flow of a payment process.
  • FIG. 11 is a sequence diagram showing an example of the flow of a currency exchange process.
  • FIG. 11 is a sequence diagram showing an example of the flow of a credit process.
  • FIG. 11 is a sequence diagram showing an example of the flow of a return process.
  • FIG. 11 is a diagram for explaining an MHTree function of a Merkle tree according to the second embodiment;
  • FIG. 11 is a first diagram for explaining an MHPath function of a Merkle tree according to the second embodiment.
  • FIG. 13 is a diagram for explaining an MHVer function of a Merkle tree according to the second embodiment. This is a diagram showing a state in which there are eight pieces of currency.
  • FIG. 13 is a diagram showing a state in which currency additional information including the same signature is added to eight bills.
  • FIG. 2 illustrates an example of a hardware configuration of a computer.
  • an electronic currency system is merely one example of a technology to which the present invention can be applied.
  • the present invention can also be applied to various information systems other than electronic currency systems.
  • the present invention can also be applied to information systems that run applications such as ticket sales and distribution, intra-company (and inter-company) business flows, and rights transfer.
  • the electronic currency system according to the first embodiment is a system for electronic currency issued by a specific issuing bank. It is proposed that the value of the electronic currency is guaranteed to be the same as that of legal tender. Below, an example of electronic currency with the same value as the Japanese yen will be described, but this is not limiting, and electronic currency with the same value as the legal tender of another country may be used, or electronic currency that does not have to be the same value as the legal tender.
  • a server managed by the issuing bank issues electronic currency (hereafter simply called currency) with a signature.
  • transaction history data is managed by a financial institution other than the issuing bank (e.g. a commercial bank).
  • a financial institution e.g. a commercial bank.
  • the users' terminals communicate directly with each other to execute the processing required for the transaction.
  • the currency data is a concatenation of data having a pair of the public key pk and signature S of each user who has used the currency.
  • the current currency owner is the person who has withdrawn the currency from financial institution server 20, which is a commercial bank server.
  • the owner of the currency circulating between user terminals may be a store or an individual user who uses the store.
  • the current currency owner is an individual user.
  • the previous currency owner may have been a store or an individual user.
  • Example 1 we assume that the store is (semi-)honest and will not publish the store's public key under its real name, which would have a negative impact on the privacy of users. Such a public key may be called a "pseudonym.” Note that "(semi-)honest” can mean either semi-honest or honest.
  • the currency data in Figure 1 will only reveal the pseudonym of the store used by the individual user who is the current currency owner.
  • Transaction history with multiple stores (pseudonyms) and banks (real name) can be collected as data linked to the individual user's public key (e.g., pkUn in Figure 1).
  • the store (pseudonym) with which transactions were conducted using the public key can determine the transaction history by collecting currency data. If the data collected in this way is considered a data set related to an individual, it can be said that the issuing bank holds the entire DB (full data set) and the market holds a partial DB (part of the data set).
  • Figure 1 is just one example, and similar problems can also occur at stores (Uk+1 and Uk-1) where a general individual user (Uk) makes transactions. This also applies to Examples 2 to 4 described below.
  • the public keys of stores (and individual users) are pseudonyms, and the store's public keys and the individual user's public keys are updated periodically. This reduces the possibility that the public keys in the currency data can be used to narrow down individuals (corresponding to the idea of pseudo-IDs), and improves privacy protection.
  • individual users may "(2) use the same public key only once.”
  • the user terminal 30 has used a public key (or a private key that is a pair of the public key) only once, it will no longer use that public key, but will instead generate a new public key and use that new public key next time.
  • Example 2 An image of currency data when multiple currency data are used in the same transaction is shown in Figure 2.
  • an individual user with a public key pkUn is assumed to be the current currency owner and the owner of two currencies.
  • the next payment destination store for individual user Un is assumed to be Un+1.
  • Example 2 we also assume that the store is semi-honest and will not publish the store's public key under its real name, which would have a negative impact on the user's privacy. In this case, if the previous owner of the current currency is a store, then just like in Example 1, the currency data in Figure 2 will reveal only the pseudonym of the store used by the individual user who is the current currency owner.
  • the next payment destination store Un+1 can simultaneously determine the multiple stores (pseudonyms) that were traded with that public key (pkUn) from the multiple currency data of the target transaction.
  • a frequently used store may collect information about other stores (pseudonyms) used by the individual user.
  • the public keys of the store (and individual user) are pseudonyms, and the public keys of the individual users and stores are updated periodically, reducing the possibility that currency data can be used to narrow down individuals (corresponding to the idea of a pseudo-ID).
  • Example 1 assume that the current currency owner is an individual user.
  • the previous currency owner may be a store or an individual user.
  • Example 3 the previous currency owner is a store.
  • the store may mistakenly publish a public key under the store's "real name.”
  • the store may also mistakenly keep its public key the same for a long period of time.
  • the transaction history of multiple stores (real names) and banks (real names) can be collected as data linked to the public key of the individual user (e.g., pkUn in Figure 1).
  • the public keys of stores (and individual users) are pseudonyms, and the store's public keys and the individual user's public keys are updated periodically. This reduces the possibility that currency data can be used to narrow down individuals (corresponding to the idea of pseudo-IDs).
  • an individual user may use the same public key only once.
  • the user terminal 30 has used a public key (or a private key that is a pair of the public key) once, it will no longer use that public key, but will instead generate a new public key and use that new public key next time.
  • Example 4 Similar to Example 2, multiple currency data are used in the same transaction as shown in Fig. 2.
  • an individual user having a public key pkUn is assumed to be the current currency owner and the owner of two currencies.
  • the next payment destination store for individual user Un is assumed to be Un+1.
  • Example 4 the previous multiple currency owners are multiple stores.
  • the multiple stores may mistakenly publish public keys under the "real" names of the stores. Also, the multiple stores may mistakenly keep the public keys the same for a long period of time.
  • the public keys of stores and individual users are pseudonyms, and the public keys of individual users and stores are updated periodically, reducing the possibility that currency data can be used to narrow down individuals (corresponding to the idea of a pseudo-ID).
  • the usage period of the public keys of individual users and stores is set to be short enough that it does not interfere with operations.
  • TEE secure hardware
  • the NNL tree method (variable face value method) is used to reduce the number of currency notes used in one transaction. This makes it less likely that currency received from multiple stores will be mixed into a single transaction, making it possible to reduce the amount of store information linked to an individual user's public key. As a result, the effectiveness of privacy protection can be improved.
  • NNL tree method (Overview of the first embodiment: NNL tree method) The above-mentioned NNL tree method will be described.
  • the amount of currency is expressed as a set of the smallest unit (for example, 1 yen). Decomposition of currency into units smaller than the smallest unit is not permitted. If the smallest unit is 1 yen, a fixed face value method in 1 yen units is adopted to (effectively) realize a variable face value method (token division).
  • a signature is added to each currency by the issuing bank's server as described above. If currency is represented by a collection of 1 yen coins, for example, 10,000 signatures must be made when issuing 10,000 yen. In this case, the cost of generating and verifying signatures at the time of issuance and payment becomes unrealistic. Therefore, in this embodiment, the amount of one currency is represented by a single tree structure with the smallest unit (1 yen) as the leaf node, so that signatures are generated and verified only once at the time of issuance and payment.
  • an NNL tree (reference [1]) is used as such a tree structure, and when issuing a signature, the signature is issued only once, and the data size is compressed nonlinearly.
  • Fig. 3 is a diagram for explaining an NNL tree.
  • a pseudorandom number generator G ⁇ 0,1 ⁇ n ⁇ ⁇ 0,1 ⁇ 2n that generates a random number twice as long as an input random number is applied to an ID (n-bit random number in Fig. 3) as a seed to generate a 2n-bit ID.
  • An example is shown in which a pseudorandom number generator G is applied to the first n bits and the second n bits of the 2n bits to generate further 2n-bit random numbers, generating a total of four n-bit IDs (random numbers).
  • Figure 4 is a diagram to explain how to apply an NNL tree to currency in this embodiment.
  • the amount of currency is represented by an NNL tree.
  • the leaf node of the NNL tree corresponds to the smallest unit (for example, 1 yen), and the amount of currency corresponding to a certain NNL tree is determined by the number of leaf nodes belonging to that NNL tree.
  • the NNL tree is a binary tree, in this state, only amounts in powers of 2 can be expressed. Therefore, it is made possible to specify the leaf node corresponding to the currency.
  • the currency corresponding to the NNL tree is the number of all leaf nodes included in the range ⁇ 1 yen.
  • the start point and end point of the range are used as information indicating such a range.
  • the start point refers to the leaf node that is the start position of the range.
  • the end point refers to the leaf node that is the end position of the range. It is assumed that either the start point or the end point is the leaf node at the end (first or last) in the order of the leaf nodes.
  • the information indicating the range is not limited to the start point and end point. For example, all leaf nodes that belong to the range may be specified, or the start point and the size of the range (i.e., the amount) or the end point and the size of the range may be specified.
  • the number of leaf nodes is 1024. If you want to represent 1000 yen, you can specify the start point as 1 and the end point as 1000.
  • the amount of one currency is represented by a set of four parameters.
  • Signatures for currencies are realized by signing in units of seeds in the NNL tree corresponding to the currency. Therefore, the number of signatures can be determined per number of currencies (NNL trees) rather than per smallest unit of the currency (e.g., 1 yen).
  • the NNL tree represents 8 yen. If you want to split 4 yen from ID1 to ID4 from this 8 yen, for example, the ID (random number) corresponding to node n1, which is the ancestor node of all of ID1 to ID4, becomes the root node of the subtree (NNL tree) corresponding to the 4 yen after the split.
  • the currency ID of the 4 yen currency after the split will be as follows: ⁇ 01110...1,2,ID1,ID4 ⁇
  • the number of times to calculate random numbers corresponding to each node of the subtree can be reduced.
  • the currency issued by the issuing bank (T 0 described later) can be traced based on the signature history.
  • the root node of the original NNL tree may be the root node of the NNL tree after division.
  • the currency ID of the 4 yen currency after division will be as follows: ⁇ 01010...1,3,ID1,ID4 ⁇
  • Figure 4 shows random numbers corresponding to each node, but the random numbers corresponding to each node do not need to be managed until the currency (NNL tree) is split.
  • NNL tree currency
  • the NNL tree is not limited to a binary tree, and may be a 2-, 5-, or 10-ary tree. By repeating 2-branch/5-branch..., it is possible to generate an NNL tree whose number of leaf nodes exactly matches that of 5,000 yen/1,000 yen, which are close to everyday cash.
  • a pseudorandom number generator G5 ⁇ 0,1 ⁇ n ⁇ 0,1 ⁇ 5n is used at the 5-branch location
  • a pseudorandom number generator G10 ⁇ 0,1 ⁇ n ⁇ 0,1 ⁇ 10n is used at the 10-branch location.
  • the electronic currency system 1 includes an issuing bank server 10, a root certificate authority server 11, a financial institution server 20, an intermediate certificate authority server 25, and a user terminal 30. These devices are connected to each other so as to be able to communicate with each other via a communication network such as the Internet.
  • the issuing bank server 10 is an information processing device managed by the issuing bank that issues the currency.
  • the issuing bank server 10 adds signature data to message data indicating the issuance of the currency and transmits it to the financial institution server 20.
  • the issuing bank server 10 has a function of accepting a withdrawal request from the financial institution server 20.
  • the root certification authority server 11 is an information processing device that has the functionality of a root certification authority in cryptographic communication.
  • the root certification authority server 11 may be realized by the same hardware as the issuing bank server 10, and is assumed to be managed by the issuing bank, but is not limited to this.
  • the root certification authority server 11 As a preparation step for issuing currency, the root certification authority server 11 generates a root certification key, issues a root certificate, and sends it to the intermediate certification authority server 12. The root certification authority server 11 also authenticates each financial institution, generates financial institution public key certificate issuance information, and sends the generated financial institution public key certificate issuance information to the issuing bank server 10.
  • the financial institution server 20 is an information processing device managed by a financial institution (e.g., a commercial bank).
  • the financial institution server 20 is authenticated by the root certification authority server 11 and accepts the issuance of currency from the issuing bank server 10.
  • the financial institution server 20 also accepts requests for transactions such as withdrawals, currency exchange, deposits, and credit from the user terminal 30. Furthermore, the financial institution server 20 requests refunds from the issuing bank server 10.
  • the financial institution servers 20 when distinguishing between the financial institution servers 20, the financial institution servers 20 will be referred to as financial institution server 20-1, financial institution server 20-2, etc.
  • the intermediate certification authority server 25 is an information processing device that has the function of an intermediate certification authority in cryptographic communication.
  • the intermediate certification authority server 25 may be realized by the same hardware as the financial institution server 20, and is assumed to be managed by the financial institution, but is not limited to this.
  • the intermediate certification authority server 25 As a preparation step for issuing currency, the intermediate certification authority server 25 generates an intermediate authentication key, issues an intermediate certificate, and transmits it to the user terminal 30.
  • the intermediate certification authority server 25 also authenticates each user and generates user public key certificate issuance information.
  • intermediate certification authority servers 25 when distinguishing between the intermediate certification authority servers 25, the intermediate certification authority servers 25 will be referred to as intermediate certification authority server 25-1, intermediate certification authority server 25-2, etc.
  • the user terminal 30 is an information processing device used by users (individual consumers, stores, etc.) who use currency. Before starting a transaction, the user terminal 30 is authenticated by the intermediate authentication authority server 25. In addition, the user terminal 30 requests transactions such as withdrawals, currency exchanges, deposits, and credit from the financial institution server 20.
  • the user terminals 30 when distinguishing between the user terminals 30, the user terminals 30 will be referred to as user terminal 30-1, user terminal 30-2, etc.
  • a user terminal 30 requests payment from another user terminal 30 (e.g., user terminal 30-2) and accepts a payment request.
  • a payment request is a request to accept the execution of a "payment" transaction in which the user makes payment to the other party, and is not a request for the other party to make payment to the user.
  • FIG. 6 is a functional block diagram of the issuing bank server.
  • the issuing bank server 10 includes a currency issuance key generation unit 101, a currency issuance certificate issuance unit 102, a financial institution public key certificate issuance information acquisition unit 103, a currency issuing unit 104, a refund acceptance unit 105, a currency issuance key storage unit 106, and a refunded currency storage unit 107.
  • the currency issuance key generation unit 101 generates cryptographic key data (hereafter referred to as the currency issuance key) for guaranteeing the validity of message data indicating the issuance of currency (hereafter referred to as the currency issuance message).
  • the currency issuance key includes a private key and a public key.
  • the currency issuance certificate issuing unit 102 generates data indicating a certificate for certifying the public key of the currency issuance key (hereinafter referred to as the currency issuance certificate), and transmits the generated currency issuance certificate to each financial institution server 20 and each user terminal 30.
  • the financial institution public key certificate issuance information acquisition unit 103 acquires financial institution public key certificate issuance information from the root certification authority server 11.
  • the financial institution public key certificate issuance information will be described later.
  • the currency issuance unit 104 uses the currency issuance key and the financial institution public key certificate issuance information to generate a currency issuance message and transmits the generated currency issuance message to the financial institution server 20.
  • the refund receiving unit 105 receives refunds from the financial institution server 20 and stores the refunded currency in the refunded currency storage unit 107.
  • a refund is a transaction in which each financial institution deposits currency that it will not be using for the time being with the issuing bank, returning it to circulation.
  • the currency issuance key storage unit 106 stores the currency issuance key generated by the currency issuance key generation unit 101.
  • the refunded currency storage unit 107 stores the currency that has been accepted for refund by the refund acceptance unit 105 (hereinafter referred to as refunded currency).
  • FIG. 7 is a functional block diagram of the root certification authority server.
  • the root certification authority server 11 includes a root certification key generation unit 111, a root certificate issuance unit 112, a financial institution authentication unit 113, a financial institution public key certificate issuance information transmission unit 114, a root certification key storage unit 115, and a financial institution public key certificate issuance information storage unit 116.
  • the root authentication key generation unit 111 generates cryptographic key data (hereinafter referred to as the root certification key) for verifying the legitimacy of the root certification authority.
  • the root certification key includes a private key and a public key.
  • the root certificate issuing unit 112 issues certificate data (hereafter referred to as a root certificate) for verifying the validity of certificate data (hereafter referred to as an intermediate certificate) for verifying the validity of an intermediate certification authority, and transmits it to each intermediate certification authority server 25.
  • certificate data hereafter referred to as a root certificate
  • an intermediate certificate for verifying the validity of certificate data
  • the financial institution authentication unit 113 receives encryption key data (hereinafter referred to as the financial institution key) for guaranteeing the legitimacy of each financial institution from the financial institution server 20 and accepts an authentication request.
  • the financial institution authentication unit 113 then generates data indicating a certificate for certifying the public key of the financial institution key (hereinafter referred to as the financial institution public key certificate) and transmits the generated financial institution public key certificate to the financial institution server 20 that requested authentication.
  • the financial institution authentication unit 113 generates information indicating the issuance of the financial institution public key certificate (hereinafter referred to as the financial institution public key certificate issuance information).
  • the financial institution public key certificate issuance information transmission unit 114 transmits the generated financial institution public key certificate issuance information to the issuing bank server 10. Note that if the issuing bank server 10 and the root certification authority server 11 are realized by the same hardware, the financial institution public key certificate issuance information transmission unit 114 is not necessary.
  • the root authentication key storage unit 115 stores the root authentication key generated by the root authentication key generation unit 111.
  • the financial institution public key certificate issuance information storage unit 116 stores the financial institution public key certificate issuance information generated by the financial institution authentication unit 113.
  • FIG. 8 is a functional block diagram of the financial institution server.
  • the financial institution server 20 comprises a currency issuance certificate issuance reception unit 201, a financial institution key generation unit 202, a financial institution authentication request unit 203, a currency issuance reception unit 204, a withdrawal reception unit 205, an update processing unit 206, an exchange and deposit reception unit 207, a payment request unit 208, a payment reception unit 209, a credit reception unit 210, a refund request unit 211, a currency issuance certificate memory unit 212, a financial institution key memory unit 213, a financial institution public key certificate memory unit 214, an unused currency memory unit 215, a currency in use memory unit 216, an updated currency memory unit 217, and a used currency memory unit 218.
  • the currency issuance certificate issuance reception unit 201 receives the issuance of a currency issuance certificate from the issuing bank server 10.
  • the financial institution key generation unit 202 generates a financial institution key.
  • the financial institution key includes a private key and a public key.
  • the currency issuance reception unit 204 accepts the issuance of currency from the issuing bank server 10. Specifically, the currency issuance reception unit 204 receives a currency issuance message from the issuing bank server 10, and verifies the signature of the received currency issuance message using the public key included in the currency issuance certificate.
  • the update processing unit 206 updates used currency (hereinafter referred to as used currency) as necessary in response to a withdrawal request from the user terminal 30. Specifically, the update processing unit 206 deletes information (currency addition information) added to the used currency. Note that currency addition information is added by a payment transaction, which will be described later.
  • the withdrawal acceptance unit 205 transmits unused currency (hereinafter referred to as unused currency) or the currency updated by the update processing unit 206 to the user terminal 30.
  • the currency exchange/deposit reception unit 207 accepts requests for currency exchange or deposits from the user terminal 30. Specifically, when the currency exchange/deposit reception unit 207 accepts a request for currency exchange from the user terminal 30, the payment reception unit 209 accepts payment of the amount to be exchanged, and the payment request unit 208 requests multiple payments that total the amount to be exchanged. In addition, when the currency exchange/deposit reception unit 207 accepts a request for a deposit, the payment reception unit 209 accepts payment of the amount to be deposited.
  • the credit acceptance unit 210 receives currency from the user terminal 30 and accepts a credit request.
  • the credit acceptance unit 210 determines whether the currency is a currency in use (hereinafter referred to as a currency in use) and transmits the determination result to the user terminal 30.
  • the refund request unit 211 sends the currency to the issuing bank server 10 to request a refund.
  • the currency issuance certificate storage unit 212 stores the currency issuance certificate that has been accepted for issuance by the currency issuance certificate issuance acceptance unit 201.
  • the financial institution key storage unit 213 stores the financial institution key generated by the financial institution key generation unit 202.
  • the financial institution public key certificate storage unit 214 stores the financial institution public key certificate that the financial institution authentication request unit 203 receives from the root certification authority server 11.
  • the unused currency storage unit 215 stores the currency that is accepted for issuance by the currency issuance acceptance unit 204 as unused currency.
  • the user authentication unit 253 receives encryption key data (hereinafter referred to as user key) for guaranteeing the legitimacy of each user from the user terminal 30 and accepts an authentication request.
  • the user authentication unit 253 then generates data indicating a certificate for certifying the public key of the user key (hereinafter referred to as user public key certificate), and transmits the generated user public key certificate to the user terminal 30 that requested authentication.
  • the user authentication unit 253 generates information indicating the issuance of the user public key certificate (hereinafter referred to as user public key certificate issuance information).
  • the payment request unit 306 transmits the currency to be paid and requests payment from the financial institution server 20 or another user terminal 30.
  • the payment acceptance unit 307 receives the currency to be paid and accepts the payment from the financial institution server 20 or another user terminal 30.
  • the credit request unit 309 transmits currency to request credit from the financial institution server 20 and receives the credit result.
  • the currency issuance certificate storage unit 310 stores the currency issuance certificate that has been accepted for issuance by the currency issuance certificate issuance acceptance unit 301.
  • the public key which is a pseudonym
  • this update is performed on secure hardware (TEE, SE, etc.).
  • TEE secure hardware
  • a device that uses a regularly updated public key to execute the circulation of electronic currency is not limited to a device called a "user terminal.”
  • a device that uses a regularly updated public key to execute the circulation of electronic currency may be called a “currency processing device.”
  • the "currency processing device” is written in parentheses in Figure 11.
  • a "currency processing device” may also be called an “information processing device.”
  • the user terminal 30 includes a secure processing unit 330 and a currency distribution unit 340.
  • the secure processing unit 330 includes a key generation unit 320.
  • the currency distribution unit 340 may also be called an information distribution unit 340.
  • the secure processing unit 330 is, for example, a Secure Element or TrustZone (registered trademark), but is not limited to a specific type. Information (tables, programs, data, etc.) stored in the secure processing unit 330 cannot be tampered with from the outside.
  • the secure processing unit 330 may be called secure hardware.
  • the secure processing unit 330 itself can be realized using various conventional technologies.
  • the processing unit requiring secure processing (including a CPU, memory, etc.) can be completely separated from the general processing unit (including a CPU, memory, etc.) in hardware, so that the processing unit requiring secure processing can be realized as the secure processing unit 330.
  • the processing unit that realizes secure processing in software may be called the secure processing unit 330.
  • the key generation unit 320 generates a public key and private key pair, and also updates the public key and private key pair. Note that "updating a public key and private key pair" means generating a new public key and private key pair after generating a public key and private key pair.
  • the public key generated by the key generation unit 320 is a pseudonym, not a real name indicating the user (individual user, store, etc.) of the user terminal 30.
  • the key generation unit 320 includes a user key generation unit 303, a user authentication request unit 304, a user key storage unit 312, and a user public key certificate storage unit 313, and when generating a pair of a public key and a private key, performs user key generation (S108), user authentication request (S109), and acquisition of a user public key certificate (S111) in the sequence of FIG. 12 described below.
  • the key generation unit 320 may also perform signing using the private key at the time of issuance, payment, etc.
  • the key generation unit 320 generates a new public key and private key pair (i.e., updates) immediately after a predetermined period of time has elapsed since generating a public key and private key pair. After updating, the new public key and private key pair is used.
  • a new public key and private key pair i.e., updates
  • the key generating unit 320 after generating a pair of public key and private key, the key generating unit 320 generates a new pair of public key and private key (i.e., updates) immediately after the generated public key or private key has been used a predetermined number of times. After updating, the new pair of public key and private key is used.
  • a new pair of public key and private key i.e., updates
  • the generated public key or private key means using the private key for signing, sending the public key (or data including the public key) to another device, etc.
  • the key generation unit 320 may use a one-time signature to sign using a private key at the time of payment, etc.
  • This "one-time" means that one private key can only sign one piece of data.
  • the key generation unit 320 updates the public key and private key pair immediately after executing the one-time signature. In other words, the use of a one-time signature makes it possible to forcibly update the keys. Furthermore, fraud can be identified at the time the second signature is made.
  • the currency circulation unit 340 includes a function for executing the circulation of currency data including the public key generated by the key generation unit 312.
  • the currency data is data in which multiple pieces of data each having a pair of a public key and a signature are linked together.
  • the currency circulation unit 340 can also execute the circulation of currency using a floating denomination method that uses an NNL tree.
  • the currency circulation unit 340 includes a currency issuance certificate issuance acceptance unit 301, an intermediate certificate issuance acceptance unit 302, a withdrawal request unit 305, a payment request unit 306, a payment acceptance unit 307, an exchange/deposit request unit 308, a credit request unit 309, a currency issuance certificate storage unit 310, an intermediate certificate storage unit 311, and a user currency storage unit 314.
  • the functional units included within the secure processing unit 330 and the functional units located outside the secure processing unit 330 are not limited to the above examples.
  • the key generation unit 320 of the secure processing unit 330 may perform the signature process using a private key.
  • all of the configuration shown in FIG. 10 may be included in the secure processing unit 330.
  • the currency circulation unit 340 in FIG. 11 may be included in the secure processing unit 330.
  • FIG. 12 is a sequence diagram showing an example of the flow of the currency issuance process.
  • the currency issuance process is started periodically or in response to an operation by a person in charge.
  • the currency issuance key generation unit 101 of the issuing bank server 10 generates a currency issuance key (step S101). Specifically, the currency issuance key generation unit 101 generates a currency issuance key pair (private key skB 0vy and public key pkB 0vy ) corresponding to an issuance year y and an issuance amount v.
  • a currency issuance key pair private key skB 0vy and public key pkB 0vy
  • the currency issuance certificate issuing unit 102 transmits the currency issuance certificate CERT (pkB 0vy ) certifying the public key pkB 0vy to each financial institution server 20 (step S102), and transmits it to each user terminal 30 (step S103).
  • the currency issuance certificate issuance acceptance unit 201 of each financial institution server 20 receives the currency issuance certificate CERT (pkB 0vy ) and stores it in the currency issuance certificate storage unit 212.
  • the currency issuance certificate issuance acceptance unit 301 of each user terminal 30 receives the currency issuance certificate CERT (pkB 0vy ) and stores it in the currency issuance certificate storage unit 310.
  • the issuance amount v is a multiple of the smallest unit (e.g., 1 yen).
  • the currency issuance certificate issuing unit 102 transmits the currency issuance certificate CERT(pkB 0(10,000 yen)(2021) ) to each financial institution server 20 and each user terminal 30.
  • the currency issuance certificate issuing unit 102 does not have to transmit the currency issuance certificate CERT(pkB 0vy ) directly to each financial institution server 20 and each user terminal 30. For example, it may upload the currency issuance certificate CERT(pkB 0vy) to a server device or the like that is publicly available on a communication network, and then have it downloaded to each financial institution server 20 and each user terminal 30.
  • the root certification key generation unit 111 of the root certification authority server 11 generates a root certification key (step S104).
  • the root certification key includes a private key skA 0 and a public key pkA 0.
  • the root certificate issuance unit 112 generates a root certificate Auth(pkA 0 ) by signing with the private key skA 0 and transmits it to each financial institution server 20 (step S105).
  • the root certificate issuing unit 112 does not have to directly send the root certificate Auth(pkA 0 ) to each financial institution server 20. For example, it may upload it to a server device or the like that is publicly available on a communication network, and then have it downloaded to each financial institution server 20.
  • the intermediate authentication key generating unit 251 of the intermediate authentication authority server 25 generates an intermediate authentication key (step S106).
  • the intermediate authentication key includes a secret key skA i and a public key pkA i .
  • the intermediate certificate issuance unit 252 signs with the private key skA i and generates an intermediate certificate Auth(pkA i , pkA 0 ) using the root certificate Auth(pkA 0 ).
  • the intermediate certificate Auth(pkA i , pkA 0 ) is written as Auth(pkA i ).
  • the intermediate certificate issuance unit 252 transmits the generated intermediate certificate Auth(pkA i ) to each user terminal 30 (step S107).
  • the intermediate certificate issuance acceptance unit 302 of each user terminal 30 receives the intermediate certificate Auth(pkA i ) and stores it in the intermediate certificate storage unit 311.
  • the intermediate certificate issuance unit 252 does not have to directly transmit the intermediate certificate Auth(pkA i ) to each user terminal 30. For example, it may upload the intermediate certificate Auth(pkA i ) to a server device or the like that is publicly available on a communication network, and then have the intermediate certificate Auth(pkA i ) downloaded to each user terminal 30.
  • the user key generation unit 303 of the user terminal 30 generates a user key (step S108).
  • the user key includes a secret key skUj and a public key pkUj .
  • the user authentication request unit 304 transmits the public key pkUj to request user authentication from the intermediate certification authority server 25 (step S109).
  • the user authentication unit 253 of the intermediate certification authority server 25 generates a user public key certificate Auth(pkUj, pkAi , pkA0 ) using the root certificate Auth( pkA0 ) and the intermediate certificate Auth( pkAi ) (step S110 ) .
  • the user public key certificate Auth( pkUj , pkAi , pkA0 ) will be written as Auth(pkUj ) .
  • the user authentication unit 253 transmits the generated user public key certificate Auth( pkUj ) to the user terminal 30 (step S111).
  • the user terminal 30 holds the private key skUj , the public key pkUj , and the user public key certificate Auth( pkUj ).
  • the user authentication unit 253 generates user public key certificate issuance information ( Uj , pkUj , Auth( pkUj )) and stores it in the user public key certificate issuance information storage unit 255.
  • the user public key certificate issuance information ( Uj , pkUj , Auth( pkUj )) includes personal information Uj of the user.
  • the financial institution key generation unit 202 of the financial institution server 20 generates a financial institution key (step S112).
  • the financial institution key includes a private key skBi and a public key pBi .
  • the financial institution authentication request unit 203 transmits the public key pBi to request financial institution authentication from the root certification authority server 11 (step S113).
  • the financial institution authentication unit 113 of the root certification authority server 11 generates a financial institution public key certificate Auth(pkB i , pkA 0 ) using the root certificate Auth(pkA 0 ) (step S114).
  • the financial institution public key certificate Auth(pkB i , pkA 0 ) will be referred to as Auth(pkB i ).
  • the financial institution authentication unit 113 transmits the generated financial institution public key certificate Auth(pkB i ) to the financial institution server 20 (step S115).
  • the financial institution server 20 holds the private key skB i , the public key pkB i and the financial institution public key certificate Auth(pkB i ).
  • the financial institution authentication unit 113 generates financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) and stores it in the financial institution public key certificate issuance information storage unit 116.
  • the financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) includes institution information B i about the financial institution.
  • the financial institution public key certificate issuance information transmission unit 114 transmits the financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) to the issuing bank server 10 (step S116).
  • the financial institution public key certificate issuance information acquisition unit 103 of the issuing bank server 10 acquires the financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) and stores it in the financial institution public key certificate issuance information storage unit 116 .
  • step S108 to step S111 are executed individually by each user terminal 30.
  • steps S112 to step S116 are executed individually by each financial institution server 20.
  • the user terminal 30 may also execute the process from step S108 to step S111 multiple times to add a user key. As described above, the user terminal 30 executes the process from step S108 to step S111 when updating the public key and private key when a predetermined period (or number of times) has expired.
  • the currency issuing unit 104 of the issuing bank server 10 uses the financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) stored in the financial institution public key certificate issuance information storage unit 116 to generate a currency issuance message (id 0 , y, B i , pkB i ) that specifies the currency ID id 0 based on the issuance amount v, the issuance year y, and the financial institution B i (step S117).
  • a currency issuance message id 0 , y, B i , pkB i
  • the structure of the currency ID is as described in FIG. 4, and the method of generating it will be described later.
  • the currency issuing unit 104 signs (id 0 , y, B i , pkB i ) using the private key skB 0vy of the currency issuance key stored in the currency issuance key storage unit 106.
  • the currency issuing unit 104 transmits the currency issuance message (id 0 , y, B i , pkB i ) with the signature S 0 attached to the financial institution server 20 (step S118).
  • the currency issuance message is used to generate the currency to be issued. Therefore, the generation of the currency issuance message essentially corresponds to the issuance of the currency.
  • FIG. 13 is a flowchart illustrating an example of the processing steps for generating a currency ID when issuing currency.
  • the currency issuing unit 104 calculates the depth of the smallest NNL tree that contains leaf nodes equal to or greater than the issuance amount v.
  • the calculation of the depth essentially corresponds to the generation of the structure of the NNL tree.
  • the currency issuing unit 104 generates a random number that will become the seed of the NNL tree (S122).
  • the currency issuing unit 104 determines the start point and end point of the leaf node of the NNL tree that corresponds to the issuance amount v (S123).
  • One of the start point and end point is a leaf node at the end of the NNL tree, and the start point and end point are determined so that the set of consecutive leaf nodes from the start point to the end point matches the issuance amount v.
  • the values of the start point and end point may be expressed by values that indicate the order in the leaf nodes of the NNL tree. In other words, random numbers corresponding to the start point and end point in the NNL tree do not need to be calculated.
  • the currency issuing unit 104 generates a set of ⁇ Seed, depth, start point, end point ⁇ as a currency ID (S124).
  • FIG. 14 is a sequence diagram showing an example of the flow of a withdrawal process, which is started in response to an operation of a user Uj instructing a withdrawal.
  • the withdrawal request unit 305 of the user terminal 30 transmits denomination information indicating the denomination v of the withdrawal and the public key pkU j of the user key stored in the user key storage unit 312 to request a withdrawal from the financial institution server 20 (step S201).
  • S1 is a signature for ( id1 , pkUj , T0 ) using the private key skBi of the financial institution key.
  • id1 is the currency ID of the currency to be transferred based on the face value of the currency in use ( T1 , T0 ).
  • the value of id1 may be the same as id0 , which is the currency ID of the currency T0 .
  • the withdrawal acceptance unit 205 may generate a currency ( T1 , T0 ) for each of these currencies T0 .
  • the value of id1 of each T1 may be the same as the corresponding id1 .
  • the withdrawal acceptance unit 205 divides a part of the currency T0 to generate a currency ( T1 , T0 ). For example, when the face value v is 1000 yen and the currency T0 is 5000 yen, the withdrawal acceptance unit 205 divides 1000 yen from the currency T0 to generate a currency ( T1 , T0 ) of 1000 yen.
  • the withdrawal acceptance unit 205 divides 2000 yen from one of the two currencies T0 to generate a currency ( T1 , T0 ) of 2000 yen.
  • the division of the currency T0 is realized by dividing the NNL tree as the id0 included in the currency T0 . This is because the NNL tree also expresses the amount of the currency. The process of dividing such currency is described below.
  • currency additional information signed by the transfer source is cumulatively added to the currency. Therefore, currency additional information can be said to be information that indicates the history of currency transfers.
  • the withdrawal acceptance unit 205 transmits the currency data of the currency in use (T 1 , T 0 ) and the financial institution public key certificate Auth(pkB i ) to the user terminal 30 (step S203).
  • the withdrawal request unit 305 of the user terminal 30 verifies the currency data of the currency in use (T 1 , T 0 ) and the financial institution public key certificate Auth(pkB i ), and stores the currency in use (T 1 , T 0 ) in the user currency storage unit 314.
  • (T 1 , T 0 ) may be called unused currency.
  • the withdrawal acceptance unit 205 may use the used currency stored in the used currency storage unit 218 instead of the unused currency stored in the unused currency storage unit 215, as necessary.
  • the update processing unit 206 updates the used currency to a currency from which the currency additional information has been deleted.
  • the withdrawal acceptance unit 205 decides whether to use the used currency in accordance with predetermined conditions. For example, the withdrawal acceptance unit 205 may use the used currency when the data volume of the used currency reaches or exceeds a threshold value.
  • the update processing unit 206 stores the currency (T n , ..., T 0 ) in the state before the update in the updated currency storage unit 217. Then, the update processing unit 206 updates the used currency (T n , ..., T 0 ) to currency T 0 from which the currency additional information (T n , ..., T 1 ) has been deleted.
  • the value (contents) of id n+1 may be the same as the currency ID included in T n .
  • the withdrawal acceptance unit 205 transmits the currency data of the currency in use (T n+1 , T 0 ) and the financial institution public key certificate Auth(pkB i ) to the user terminal 30 (step S203).
  • the withdrawal request unit 305 of the user terminal 30 verifies the currency data of the currency in use (T n+1 , T 0 ) and the financial institution public key certificate Auth(pkB i ), and stores the currency in use (T n+1 , T 0 ) in the user currency storage unit 314.
  • the update processing unit 206 may also update a currency that has already been updated one or more times.
  • the update processing unit 206 stores in the updated currency storage unit 217 a currency (Tn+ k , ..., T1 , T0 ) that is obtained by combining a currency (Tn , ..., T1 , T0 ) in a state before the previous update with a currency (Tn +k , ..., Tn +1 , T0 ) in a state before the current update.
  • FIG. 15 is a flowchart for explaining an example of the processing procedure for currency splitting.
  • step S211 the withdrawal reception unit 205 calculates the depth of the smallest NNL tree (hereinafter referred to as the "destination NNL tree") that contains at least the number of leaf nodes corresponding to the denomination v of the withdrawal.
  • the method of calculating the depth is the same as in step S121 of FIG. 13.
  • the withdrawal reception unit 205 determines a node to be the root node of the destination NNL tree from among the nodes of the NNL tree (hereinafter referred to as the "original NNL tree") as the currency ID of the currency to be split (S212).
  • the destination NNL tree is a subtree of the original NNL tree. Since the depth of the destination NNL tree has been calculated, it is possible to identify which layer of the original NNL tree the root node of the destination NNL tree is.
  • the withdrawal reception unit 205 determines the node located at the end (the ancestor of the starting point of the original NNL tree) among the nodes belonging to that layer as the root node of the destination NNL tree. For example, if the split described in FIG. 4 is performed, node N2 in FIG. 4 is determined as the root node of the destination NNL tree.
  • the withdrawal reception unit 205 calculates a random number corresponding to the root node (i.e., the seed of the NNL tree to be split) based on the seed of the original NNL tree (S213). Specifically, as described in FIG. 3, the seed of the NNL tree to be split can be calculated by recursively applying the pseudorandom number generator G to the seed of the original NNL tree.
  • the withdrawal reception unit 205 determines the start and end points of the leaf nodes of the NNL tree to be split that correspond to the face value v (S214).
  • the method of determining such leaf nodes may be the same as the method described in step S123 of FIG. 13.
  • the withdrawal acceptance unit 205 identifies the next leaf node in the original NNL tree that is the end point of the destination currency in order to match the original currency (T 0 in S202) with the balance (amount minus the face value v) (S215).
  • the withdrawal reception unit 205 associates ⁇ Seed of the original NNL tree, depth of the original NNL tree, the next leaf node, and end point of the original NNL tree ⁇ with the original currency as a temporary currency ID (S217).
  • This temporary currency ID is used as the currency ID of the currency addition information when the remaining amount of the original currency is transferred by withdrawal, payment, etc.
  • 16 is a sequence diagram showing an example of the flow of payment processing (transmission processing from a remitter to a recipient) according to the first embodiment.
  • the payment processing is started in response to an operation by a remitter user Uj to instruct a payment to a recipient user Uk .
  • the user terminal 30-1 is the user terminal 30 operated by the remittance user Uj .
  • the user terminal 30-2 is the user terminal 30 operated by the remittance user Uk .
  • the currency T0 does not indicate the current face value of the currencies (Tn -1 , ..., T0 ).
  • the current denomination of a currency (T n-1 , . . . , T 0 ) can be derived from the start and end points of the NNL tree as id n-1 of T n-1 .
  • the payment acceptance unit 307 transmits the public key pkU k of the user key stored in the user key storage unit 312 of the user terminal 30-2 to the user terminal 30-1 (step S303).
  • the currency additional information may be called currency data.
  • id n is a currency ID based on the face value of the currency (T n , ..., T 0 ) to be generated.
  • the value of id n may be the same as id n-1 , which is the currency ID of T n-1 of the currency (T n-1 , ..., T 0 ).
  • the value of id n for each Tn may be the same as the corresponding id n-1 , and the currency (T n , ..., T 0 ) described below is generated for each currency (T n-1 , ..., T 0 ).
  • the payment request unit 306 divides a part of the currency (T n-1 , ..., T 0 ) to generate id n .
  • id n in this case is ⁇ Seed, depth , start point, end point ⁇ of the NNL tree obtained by dividing the payment amount v by the payment request unit 306, using the NNL tree as id n-1 , which is the currency ID of T n-1 in the currency (T n-1 , ..., T 0 ), as the division source.
  • the processing procedure for executing such division is as described in FIG. 15. That is, in step S304, the payment request unit 306 generates id n by executing the processing procedure of FIG. 15.
  • FIG. 17 is a sequence diagram showing an example of the flow of a currency exchange process.
  • the currency exchange process is started in response to an operation of a user Uj instructing currency exchange.
  • the exchange/deposit request unit 308 of the user terminal 30 transmits denomination information indicating the denomination v of the exchange and the public key pkU j of the user key stored in the user key memory unit 312 to request an exchange from the financial institution server 20 (step S401).
  • the exchange and deposit acceptance unit 207 of the financial institution server 20 accepts the exchange (step S402).
  • the exchange and deposit acceptance unit 207 transmits exchange acceptance information indicating the acceptance of the exchange to the user terminal 30 (step S403).
  • the payment request unit 306 requests payment from the financial institution server 20 according to the payment process shown in FIG. 16 (step S404).
  • the payment request unit 208 of the financial institution server 20 requests payment from the user terminal 30 for each of v1 , ..., vx in accordance with the payment process shown in FIG. 16 (steps S405-1, S405-2).
  • FIG. 18 is a sequence diagram showing an example of the flow of a credit process.
  • the credit process is started in response to an operation of a user Uj instructing credit.
  • the credit request unit 309 of the user terminal 30 transmits the currency T0 for which the availability of the currency is to be confirmed, and requests credit from the financial institution server 20 (step S501).
  • the credit acceptance unit 210 of the financial institution server 20 accepts the credit (step S502). Specifically, the credit acceptance unit 210 searches for the currency T0 in the currently used currency storage unit 216, and if a record including T0 , for example ( T1 , T0 ), exists, the credit acceptance unit 210 transmits a credit result indicating a credit success ack to the user terminal 30 (step S503).
  • FIG. 19 is a sequence diagram showing an example of the flow of a deposit process.
  • the deposit process is started in response to an operation of a user Uj instructing a deposit.
  • the currency exchange/deposit request unit 308 of the user terminal 30 transmits face amount information indicating the face amount v of the deposit and the public key pkU j of the user key stored in the user key memory unit 312 to request currency exchange from the financial institution server 20 (step S601).
  • the exchange and deposit reception unit 207 of the financial institution server 20 accepts the deposit (step S602).
  • the exchange and deposit reception unit 207 transmits deposit acceptance information indicating the acceptance of the deposit to the user terminal 30 (step S603).
  • the payment request unit 306 requests payment from the financial institution server 20 according to the payment process shown in FIG. 13 (step S604).
  • the refund process is started in response to an operation of the financial institution Bi to instruct a refund.
  • the refund request unit 211 of the financial institution server 20 transmits the currency data to be refunded and requests a refund from the issuing bank server 10 (step S701).
  • the currency data to be refunded may be unused currency or used currency.
  • the refund request unit 211 extracts unused currency T0 from the unused currency storage unit 215 and transmits it to the issuing bank server 10.
  • the refund request unit 211 extracts the used currency (T n , ..., T 0 ) from the used currency storage unit 218 and transmits it to the issuing bank server 10. Furthermore, if the used currency (T m , ..., T k+1 , T 0 ) has been updated, the refund request unit 211 reads out the currency additional information (T k , ..., T 1 ) before the update from the updated currency storage unit 217, combines it with the used currency (T m , ..., T k+1 , T 0 ), and transmits the combined currency (T m , ..., T 0 ) to the issuing bank server 10.
  • the refund acceptance unit 105 of the issuing bank server 10 accepts the refund (step S702). Specifically, the refund acceptance unit 105 stores the received currency data in the refunded currency storage unit 107. At this time, the refund acceptance unit 105 may confirm the validity of the currency for which the refund has been accepted by verifying the signature included in each currency additional information. For example, the signature S n included in the currency additional information T n can be verified using the public key included in the currency additional information T n-1 .
  • NNL tree it is possible to reduce the number of coins used in one transaction, which in turn makes it possible to prevent individuals from being narrowed down by pseudonyms (public keys) assigned to multiple currency data in the same transaction.
  • the NNL tree it is possible to efficiently realize a floating denomination system. Specifically, while the minimum unit of currency is fixed, it is possible to issue currency in multiples of the minimum unit, making it possible to sign and verify in units of currency rather than in units of the minimum unit. Furthermore, by adopting the NNL tree method, it is also possible to reduce the number of hash calculations.
  • Second Embodiment Next, a second embodiment will be described. In the second embodiment, differences from the first embodiment will be described. Points not specifically mentioned in the second embodiment may be the same as those in the first embodiment.
  • the second embodiment differs from the first embodiment in that a hash tree of currencies is generated and the root of the hash tree is signed to sign all the target currencies at once.
  • components having the same functional configuration as those in the first embodiment are given the same reference numerals as those used in the description of the first embodiment, and descriptions of these components are omitted.
  • FIG. 21 is a diagram for explaining the MHTree function of a Merkle tree according to the second embodiment.
  • the MHTree function is a function that generates a hash tree from a data set.
  • the vertex h is called the root.
  • MHTree(D)->L it is written as MHTree(D)->L.
  • the value of each leaf node is the hash value of the data that corresponds to that leaf node.
  • the seventh and eighth leaf nodes are complemented with "00" to enable the construction of a binary tree.
  • FIG. 22 is a first diagram for explaining the MHPath function of a Merkle tree according to the second embodiment.
  • the MHPath function is a function that generates a path required to authenticate a partial data set.
  • MHPath (D', L) -> (AP, h).
  • D' sub-data
  • MHver AP, h, D'
  • T T or F.
  • the MHver function outputs T if the verification is successful (if D' is correct), and outputs F if the verification fails (if D' is incorrect).
  • D' being correct means that none of the data belonging to D' has been tampered with.
  • the hash tree L1 is a hash tree generated by assigning each T0_t constituting T0 to its leaf nodes.
  • AP_t is a path required for authenticating RH obtained by MHPath(T 0 _t, L 1 )->(AP_t, RH).
  • the value of each id 1 _t may be the same as the corresponding id 0 _t. This state is shown in FIG. 25. It can be seen that each T 1 _t contains the same signature S 1.
  • a set of currencies (T 1 _t, T 0 _t) (here, a set of eight) is written as (T 1 , T 0 ).
  • the withdrawal acceptance unit 205 transmits the currency data set of the currency set (T 1 , T 0 ) in use and the financial institution public key certificate Auth(pkB i ) to the user terminal 30 (step S203).
  • the withdrawal request unit 305 of the user terminal 30 verifies the currency data set of the currency set (T 1 , T 0 ) in use and the financial institution public key certificate Auth(pkB i ), and stores the currency set (T 1 , T 0 ) in use in the user currency storage unit 314.
  • the withdrawal request unit 305 needs to verify only one of the currencies (T 1 _t , T 0 _t ) in (T 1 , T 0 ) when verifying the currency set (T 1 , T 0 ). Specifically, for any one of T 1 _t, MHver(AP_t, RH, T 0 ) is verified to be T, and S 1 included in the T 1 _t is verified. For other T 1 _t, the withdrawal request unit 305 only needs to confirm that they include the same S 1 as the verified T 1 _t.
  • the user of the user terminal 30 can use each of (T 1 _t, T 0 _t ) that constituted the withdrawn currency set (T 1 , T 0 ) individually (separately).
  • T 1 _t indicates the history of the currency owner (circulation process) like the currency additional information in the first embodiment, except that it includes RH and AP_t to reduce the signature and verification costs of the currency set, and the authenticity of each currency is guaranteed individually.
  • FIG. 16 It is also executed in the process of FIG. 16 called from FIG. 17 (when exchanging money) and FIG. 19 (when depositing money).
  • the process in FIG. 16 can be applied in all other phases (such as when issuing and when redeeming). For example, when redeeming, it is possible to efficiently transfer the currency to be redeemed in one lump sum.
  • the second embodiment has the effect of reducing the signature and verification costs when transferring multiple currencies.
  • Each part of each device (and information processing device) included in the electronic currency system 1 can be realized, for example, by having a computer execute a program describing the processing contents described in this embodiment.
  • this "computer” may be a physical machine or a virtual machine on the cloud.
  • the "hardware” described here is virtual hardware.
  • the above program can be recorded on a computer-readable recording medium (such as a portable memory) and stored or distributed.
  • the above program can also be provided via a network, such as the Internet or e-mail.
  • FIG. 26 is a diagram showing an example of the hardware configuration of the computer.
  • the computer in FIG. 26 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, etc., all of which are interconnected via a bus B.
  • the program that realizes the processing on the computer is provided by a recording medium 1001, such as a CD-ROM or a memory card.
  • a recording medium 1001 storing the program is set in the drive device 1000, the program is installed from the recording medium 1001 via the drive device 1000 into the auxiliary storage device 1002.
  • the program does not necessarily have to be installed from the recording medium 1001, but may be downloaded from another computer via a network.
  • the auxiliary storage device 1002 stores the installed program as well as necessary files, data, etc.
  • the memory device 1003 When an instruction to start a program is received, the memory device 1003 reads out and stores the program from the auxiliary storage device 1002.
  • the CPU 1004 realizes the functions related to the device according to the program stored in the memory device 1003.
  • the interface device 1005 is used as an interface for connecting to a network.
  • the display device 1006 displays a GUI (Graphical User Interface) or the like according to a program.
  • the input device 1007 is composed of a keyboard, mouse, buttons, a touch panel, or the like, and is used to input various operation instructions.
  • the output device 1008 outputs the results of calculations.
  • the above computer may be equipped with a GPU (Graphics Processing Unit) or TPU (Tensor processing unit) instead of the CPU 1004, or may be equipped with a GPU or TPU in addition to the CPU 1004.
  • the processes may be shared and executed, for example, the GPU or TPU executes processes that require special calculations such as neural networks, and the CPU 1004 executes other processes.
  • An information processing device in an information system in which information in which a plurality of pieces of data each having a pair of a public key and a signature are linked is transmitted and received between information processing devices, Memory, at least one processor coupled to the memory; Including, The processor, After a certain period of time has elapsed since the generation of the public key and private key pair, or after the generated public key or private key has been used a certain number of times, a new public key and private key pair is generated and a certificate for the newly generated public key is obtained; An information processing device that transmits or receives information including the newly generated public key. (Additional Note 2) 2.
  • the information processing device wherein an owner of the information processing device is a store, and the public key generated by the key generating unit is a public key indicating a pseudonym of the store. (Additional Note 3) 3.
  • the information processing device 4
  • the processor generates a new pair of a public key and a private key after a one-time signature is performed using the private key.
  • An information processing method executed by an information processing device in an information system in which information is transmitted and received between information processing devices, the information being a concatenation of a plurality of data pieces each having a pair of a public key and a signature comprising: a key generation step of generating a new public key and private key pair and obtaining a certificate for the newly generated public key after a certain period of time has elapsed since the generation of the public key and private key pair, or after the generated public key or private key has been used a certain number of times; an information distribution step of transmitting or receiving information including the newly generated public key.
  • a non-transitory storage medium storing a program for causing a computer to function as each part of the information processing device according to any one of claims 1 to 5.
  • ⁇ Appendix 2> (Additional Note 1) Memory, at least one processor coupled to the memory; Including, The processor, Calculate the depth of the NNL tree that includes leaf nodes whose number is equal to or greater than the value obtained by dividing the amount to be transferred by the smallest unit of electronic currency; determining a root node of a second NNL tree, which is a subtree of the first NNL tree, based on the depth in the first NNL tree added to the first electronic currency; Calculating a random number corresponding to the root node based on a seed of the first NNL tree; determining a range of leaf nodes to be associated with the amount among the leaf nodes; generating information indicating said random number, said depth, and said range as information to be added to the second electronic currency.
  • Memory at least one processor coupled to the memory; Including, The processor, Calculate the depth of an NNL tree including leaf nodes whose number is equal to or greater than the value obtained by dividing the amount of the electronic currency to be issued by the smallest unit of the electronic currency; Generate random numbers to be seeds of the NNL tree; determining a range of leaf nodes to be associated with the amount among the leaf nodes; a currency processing device that generates information indicating said random number, said depth, and said range as information to be added to said electronic currency to be issued.
  • Memory at least one processor coupled to the memory; Including, The processor, A Merkle tree is generated based on the hash values of each of the multiple electronic currencies to be transferred; a hash value of a root node of the Merkle tree and a signature for the hash value, the hash value being added to each of the plurality of electronic currencies.
  • a depth calculation step for calculating the depth of an NNL tree including leaf nodes whose number is equal to or greater than the value obtained by dividing the amount to be transferred by the smallest unit of electronic currency; a root node determination step for determining a root node of a second NNL tree, which is a subtree of the first NNL tree, based on the depth in a first NNL tree added to the first electronic currency; a random number calculation step for calculating a random number corresponding to the root node based on a seed of the first NNL tree; a leaf node determination step for determining a range of leaf nodes to be associated with the amount among the leaf nodes; a currency additional information generating step of generating information indicating the random number, the depth, and the range as information to be added to the second electronic currency; A computer implemented currency processing method.
  • a computer implemented currency processing method is

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention provides an information processing device in an information system in which information containing a concatenated plurality of data with pairs of public keys and signatures is transmitted and received between information processing devices, the information processing device comprising: a key generation unit configured to generate a new pair of public and private keys and acquire a certificate for the newly generated public key after a certain period has elapsed after the generation of a pair of public and private keys or after the generated public or private keys have been used a certain number of times; and an information distribution unit configured to transmit or receive information containing the newly generated public key.

Description

情報処理装置、情報システム、情報処理方法、及びプログラムInformation processing device, information system, information processing method, and program

 本発明は、情報処理装置、情報システム、情報処理方法、及びプログラムに関する。 The present invention relates to an information processing device, an information system, an information processing method, and a program.

 情報システムの一例である電子通貨システムで使用される電子現金については長年研究が行われている。また、各国政府が電子通貨の検討を進めている。 Research has been ongoing for many years into electronic cash, which is used in electronic currency systems, an example of an information system. Governments around the world are also considering electronic currency.

 例えは特許文献1には、電子通貨単位ごとに発行銀行による署名を打つことで、利用者間のみで取引を完結させることができるトークン型の電子通貨システムが開示されている。 For example, Patent Document 1 discloses a token-based electronic currency system in which a signature is provided by the issuing bank for each unit of electronic currency, allowing transactions to be completed only between users.

国際公開第2022/254624号International Publication No. 2022/254624

 従来技術における電子通貨システムでは、通貨の流通を行うために、各利用者の公開鍵を含む通貨データが利用者間で送受信される。しかし、従来技術では、通貨データにおける公開鍵が仮名に相当しており、一般に、仮名に基づく方式では、仮名が個人の絞り込みに利用される可能性があるという課題があった。 In conventional electronic currency systems, currency data including the public key of each user is sent between users to circulate the currency. However, in conventional technologies, the public key in the currency data corresponds to a pseudonym, and generally, there is an issue with pseudonym-based methods in that the pseudonym could be used to narrow down individuals.

 なお、上記の課題は電子通貨システムに限らない様々な情報システムでも生じ得る課題である。例えば、署名を用いて情報の流通を行うPKI(Public Key Infrastructure)アプリケーションを動作させる情報システムにおいて、上記電子通貨システムにおける課題と同様の課題が生じ得る。流通の対象となる情報は、例えば電子的価値であるが、電子的価値に限定されない。 The above-mentioned issues are not limited to electronic currency systems, and can also occur in various information systems. For example, issues similar to those in the electronic currency system can occur in information systems that run PKI (Public Key Infrastructure) applications that use signatures to distribute information. Information that is the subject of distribution can be, for example, electronic value, but is not limited to electronic value.

 本発明は上記の点に鑑みてなされたものであり、情報システムにおけるプライバシ保護を行うための技術を提供することを目的とする。 The present invention has been made in consideration of the above points, and aims to provide technology for protecting privacy in information systems.

 開示の技術によれば、公開鍵と署名との組を有するデータが複数個連結された情報を情報処理装置間で送受信する情報システムにおける情報処理装置であって、
 公開鍵と秘密鍵の組を生成してから、ある期間が経過した後に、又は、生成した公開鍵又は秘密鍵がある回数だけ使用された後に、新たに公開鍵と秘密鍵の組を生成し、新たに生成した前記公開鍵の証明書を取得するように構成されている鍵生成部と、
 新たに生成した前記公開鍵を含む情報を送信又は受信するように構成されている情報流通部と
 を備える情報処理装置が提供される。 According to the disclosed technology, there is provided an information processing device in an information system in which information in which a plurality of linked pieces of data each having a pair of a public key and a signature are transmitted and received between information processing devices, the information processing device comprising:
a key generation unit configured to generate a new pair of public key and private key and obtain a certificate for the newly generated public key after a certain period of time has elapsed since the generation of the pair of public key and private key, or after the generated public key or private key has been used a certain number of times;
and an information distribution unit configured to transmit or receive information including the newly generated public key.

 開示の技術によれば、情報システムにおけるプライバシ保護を行うための技術が提供される。 The disclosed technology provides a technique for protecting privacy in information systems.

プライバシ保護についての課題と解決策を説明するための図である。FIG. 1 is a diagram for explaining issues and solutions regarding privacy protection. プライバシ保護についての課題と解決策を説明するための図である。FIG. 1 is a diagram for explaining issues and solutions regarding privacy protection. NNL木を説明するための図である。FIG. 1 is a diagram for explaining an NNL tree. 本実施の形態における通貨に対するNNL木の適用方法を説明するための図である。1 is a diagram for explaining a method of applying an NNL tree to currency in this embodiment. FIG. 電子通貨システムのシステム構成の一例を示す図である。FIG. 1 is a diagram illustrating an example of a system configuration of an electronic currency system. 発行銀行サーバの機能構成図である。FIG. 2 is a functional configuration diagram of an issuing bank server. ルート認証局サーバの機能構成図である。FIG. 2 is a functional configuration diagram of a root certificate authority server. 金融機関サーバの機能構成図である。FIG. 2 is a functional configuration diagram of a financial institution server. 中間認証局サーバの機能構成図である。FIG. 2 is a functional configuration diagram of an intermediate certificate authority server. 利用者端末の機能構成図である。FIG. 2 is a functional configuration diagram of a user terminal. 利用者端末の機能構成図である。FIG. 2 is a functional configuration diagram of a user terminal. 通貨発行処理の流れの一例を示すシーケンス図である。FIG. 11 is a sequence diagram showing an example of the flow of a currency issuing process. 通貨発行時における通貨IDの生成処理の処理手順の一例を説明するためのフローチャートである。11 is a flowchart illustrating an example of a procedure for generating a currency ID when issuing currency. 引出処理の流れの一例を示すシーケンス図である。FIG. 11 is a sequence diagram showing an example of the flow of a withdrawal process. 通貨の分割処理の処理手順の一例を説明するためのフローチャートである。13 is a flowchart illustrating an example of a procedure for currency division processing. 支払処理の流れの一例を示すシーケンス図である。FIG. 11 is a sequence diagram showing an example of the flow of a payment process. 両替処理の流れの一例を示すシーケンス図である。FIG. 11 is a sequence diagram showing an example of the flow of a currency exchange process. 与信処理の流れの一例を示すシーケンス図である。FIG. 11 is a sequence diagram showing an example of the flow of a credit process. 預入処理の流れの一例を示すシーケンス図である。A sequence diagram showing an example of the flow of a deposit process. 還収処理の流れの一例を示すシーケンス図である。FIG. 11 is a sequence diagram showing an example of the flow of a return process. 第2実施形態に係るマークルツリーのMHTree関数について説明するための図である。FIG. 11 is a diagram for explaining an MHTree function of a Merkle tree according to the second embodiment; 第2実施形態に係るマークルツリーのMHPath関数について説明するための第一の図である。FIG. 11 is a first diagram for explaining an MHPath function of a Merkle tree according to the second embodiment. 第2実施形態に係るマークルツリーのMHVer関数について説明するための図である。FIG. 13 is a diagram for explaining an MHVer function of a Merkle tree according to the second embodiment. 8枚の通貨が有る状態を示す図である。This is a diagram showing a state in which there are eight pieces of currency. 8枚の通貨に対して同じ署名を含む通貨付加情報が付加された状態を示す図である。FIG. 13 is a diagram showing a state in which currency additional information including the same signature is added to eight bills. コンピュータのハードウェア構成例を示す図である。FIG. 2 illustrates an example of a hardware configuration of a computer.

 以下、図面を参照して本発明の実施の形態(本実施の形態)を説明する。以下で説明する実施の形態は一例に過ぎず、本発明が適用される実施の形態は、以下の実施の形態に限られるわけではない。 Below, an embodiment of the present invention (present embodiment) will be described with reference to the drawings. The embodiment described below is merely an example, and the embodiment to which the present invention is applicable is not limited to the embodiment described below.

 以下、本発明の実施形態として、署名を用いて情報(例えば電子的価値)の流通を行うPKI(Public Key Infrastructure)アプリケーションにおけるプライバシ保護を実現するための技術について説明する。 Below, as an embodiment of the present invention, a technology for realizing privacy protection in a PKI (Public Key Infrastructure) application that uses signatures to distribute information (e.g., electronic value) will be described.

 以下では、PKI(Public Key Infrastructure)アプリケーションにおける情報システムの例として電子通貨システムを取り上げて、本発明に係るプライバシ保護のための技術を説明する。 Below, we will explain the privacy protection technology related to the present invention by taking an electronic currency system as an example of an information system in a PKI (Public Key Infrastructure) application.

 なお、電子通貨システムは、本発明を適用する技術の一例に過ぎない。本発明は、電子通貨システム以外の様々な情報システムにも適用可能である。例えば、チケット販売・流通、企業内(及び企業間)の業務フロー、権利移転などのアプリケーションを動作させる情報システムにも本発明を適用可能である。 Note that an electronic currency system is merely one example of a technology to which the present invention can be applied. The present invention can also be applied to various information systems other than electronic currency systems. For example, the present invention can also be applied to information systems that run applications such as ticket sales and distribution, intra-company (and inter-company) business flows, and rights transfer.

 (第1実施形態の概要)
 第1実施形態に係る電子通貨システムは、特定の発行銀行にて発行する電子通貨のシステムである。電子通貨の価値は法定通貨と同じ価値が保証されるものが提唱されている。以下、日本円と同価値の電子通貨を例に説明するが、これに限られず、他の国の法定通貨と同価値の電子通貨であっても良いし、法定通貨と同価値の電子通貨でなくても良い。 (Overview of the first embodiment)
The electronic currency system according to the first embodiment is a system for electronic currency issued by a specific issuing bank. It is proposed that the value of the electronic currency is guaranteed to be the same as that of legal tender. Below, an example of electronic currency with the same value as the Japanese yen will be described, but this is not limiting, and electronic currency with the same value as the legal tender of another country may be used, or electronic currency that does not have to be the same value as the legal tender.

 第1実施形態に係る電子通貨システムでは、発行銀行が管理するサーバが署名をして電子通貨(以下、単に通貨という)を発行する。また、発行銀行以外の金融機関(例えば市中銀行)にて取引の履歴データを管理する。また、利用者同士の取引では、お互いの利用者の端末同士が直接通信して、取引のための処理を実行する。 In the electronic currency system according to the first embodiment, a server managed by the issuing bank issues electronic currency (hereafter simply called currency) with a signature. Furthermore, transaction history data is managed by a financial institution other than the issuing bank (e.g. a commercial bank). Furthermore, when transactions occur between users, the users' terminals communicate directly with each other to execute the processing required for the transaction.

 (第1実施形態の概要:プライバシ保護に関する課題及び解決策)
 ここで、プライバシ保護に関する課題及び解決策について、例1~例4を用いて説明する。 (Overview of the first embodiment: issues and solutions regarding privacy protection)
Here, problems and solutions regarding privacy protection will be described using Examples 1 to 4.

 <例1>
 本実施の形態では、特許文献1に開示された技術と同様に、現在の通貨所有者(=pkUnを公開鍵として有する利用者端末30)は、基本的に図1に示すような通貨データ(通貨トークンと呼んでもよい)を保持する。当該通貨データは、通貨を利用した各利用者の公開鍵pkと署名Sとの組を有するデータが連結されたものである。 <Example 1>
In this embodiment, similar to the technology disclosed in Patent Document 1, the current currency owner (=user terminal 30 having pkUn as a public key) basically holds currency data (which may be called a currency token) as shown in Fig. 1. The currency data is a concatenation of data having a pair of the public key pk and signature S of each user who has used the currency.

 例えばn=2であれば、現在の通貨所有者は、市中銀行のサーバである金融機関サーバ20から通貨を引き出した者である。利用者端末間で流通する通貨の所有者は、店舗である場合もあるし、店舗を利用する個人ユーザである場合もある。 For example, if n=2, the current currency owner is the person who has withdrawn the currency from financial institution server 20, which is a commercial bank server. The owner of the currency circulating between user terminals may be a store or an individual user who uses the store.

 ここでは、現在の通貨所有者が個人ユーザであるとする。1つ前の通貨所有者は、店舗である場合もあるし、個人ユーザである場合もある。 Here, we assume that the current currency owner is an individual user. The previous currency owner may have been a store or an individual user.

 例1では、店舗は(semi-)honestであり、利用者のプライバシに悪影響のある、店舗の公開鍵の実名での公開は行わない想定とする。このような公開鍵を「仮名」と呼んでもよい。なお、「(semi-)honest」は、semi-honest又はhonestの意味である。 In Example 1, we assume that the store is (semi-)honest and will not publish the store's public key under its real name, which would have a negative impact on the privacy of users. Such a public key may be called a "pseudonym." Note that "(semi-)honest" can mean either semi-honest or honest.

 一方、金融機関サーバ20の公開鍵は、市中銀行の"実名"で公開される可能性が高いこと考えられる。従って、図1に示す通貨データ中の、市中銀行の公開鍵から、引出者が利用する市中銀行がどの市中銀行であるかが分かる。 On the other hand, it is highly likely that the public key of the financial institution server 20 will be published under the "real name" of the commercial bank. Therefore, the commercial bank public key in the currency data shown in Figure 1 indicates which commercial bank the withdrawer is using.

 また、現在の通貨所有者の1つ前の通貨所有者が店舗であるとすると、図1の通貨データにより、現在の通貨所有者である個人ユーザが利用する店舗の仮名のみが露呈する。 Also, if the previous currency owner of the current currency owner is a store, the currency data in Figure 1 will only reveal the pseudonym of the store used by the individual user who is the current currency owner.

 上記のような想定において、「(1)個人ユーザが同一の公開鍵を長期間使用する場合」には、下記の問題が発生する可能性がある。 In the above scenario, if an individual user uses the same public key for a long period of time, the following problems may occur.

 複数の店舗(仮名)および銀行(実名)との取引履歴が、当該個人ユーザの公開鍵(例えば図1のpkUn)に紐づいたデータとして収集され得る。言い換えると、当該公開鍵で取引がなされた店舗(仮名)が、通貨データを集めることで上記取引履歴が分かってしまう。このように収集されたデータを、個人に関するデータセットと捉えると、発行銀行では全DB(全データセット)を保有し、市場は一部DB(一部のデータセット)を保有していると言える。 Transaction history with multiple stores (pseudonyms) and banks (real name) can be collected as data linked to the individual user's public key (e.g., pkUn in Figure 1). In other words, the store (pseudonym) with which transactions were conducted using the public key can determine the transaction history by collecting currency data. If the data collected in this way is considered a data set related to an individual, it can be said that the issuing bank holds the entire DB (full data set) and the market holds a partial DB (part of the data set).

 なお、図1は一例であり、同様の問題は、一般の個人ユーザ(Uk)が取引した店舗(Uk+1及びUk-1)からも生じ得る。これは後述する例2~例4でも同様である。 Note that Figure 1 is just one example, and similar problems can also occur at stores (Uk+1 and Uk-1) where a general individual user (Uk) makes transactions. This also applies to Examples 2 to 4 described below.

 上記の問題を回避するために、本実施の形態では、店舗(及び個人ユーザ)の公開鍵は仮名とするとともに、店舗の公開鍵及び個人ユーザの公開鍵をそれぞれ定期的に更新することしている。これにより、通貨データにおける公開鍵を個人の絞り込み(=疑似IDの考え方に相当)に利用できる可能性を低くでき、プライバシ保護の能力を高めることができる。 To avoid the above problems, in this embodiment, the public keys of stores (and individual users) are pseudonyms, and the store's public keys and the individual user's public keys are updated periodically. This reduces the possibility that the public keys in the currency data can be used to narrow down individuals (corresponding to the idea of pseudo-IDs), and improves privacy protection.

 上記の定期的な更新の一例として、個人ユーザ(及び店舗)が、「(2)同一の公開鍵を1回だけ使用する」こととしてもよい。つまり、利用者端末30は、1回だけ公開鍵(あるいは公開鍵の組となる秘密鍵)を使用したら当該公開鍵をそれ以降使用せず、新たな公開鍵を生成し、次回はその新たな公開鍵を使用する。 As an example of the periodic updates mentioned above, individual users (and stores) may "(2) use the same public key only once." In other words, once the user terminal 30 has used a public key (or a private key that is a pair of the public key) only once, it will no longer use that public key, but will instead generate a new public key and use that new public key next time.

 個人ユーザが同一の公開鍵を1回だけ使用する場合、公開鍵を個人の絞り込みに利用できる可能性はなくなる。ただし、同一の公開鍵は1回だけしか使用できないとすると、運用上の負荷(証明書発行等)は大きくなる。 If an individual user uses the same public key only once, there is no possibility that the public key can be used to narrow down the users. However, if the same public key can only be used once, the operational burden (issuing certificates, etc.) will be large.

 <例2>
 同一取引で複数の通貨データが使用される場合の通貨データのイメージを図2に示す。ここでは、公開鍵としてpkUnを持つ個人ユーザが現在の通貨所有者であり、2つの通貨の所有者であるとする。当該個人ユーザUnの次の支払先の店舗がUn+1であるとする。 <Example 2>
An image of currency data when multiple currency data are used in the same transaction is shown in Figure 2. Here, an individual user with a public key pkUn is assumed to be the current currency owner and the owner of two currencies. The next payment destination store for individual user Un is assumed to be Un+1.

 例2でも、店舗は(semi-)honestであり、利用者のプライバシに悪影響のある、店舗の公開鍵の実名による公開は行わない想定とする。この場合、現在の通貨所有者の1つ前の通貨所有者が店舗であるとすると、例1と同様に、図2の通貨データにより、現在の通貨所有者である個人ユーザが利用する店舗の仮名のみが露呈する。 In Example 2, we also assume that the store is semi-honest and will not publish the store's public key under its real name, which would have a negative impact on the user's privacy. In this case, if the previous owner of the current currency is a store, then just like in Example 1, the currency data in Figure 2 will reveal only the pseudonym of the store used by the individual user who is the current currency owner.

 上記のような想定において、「(1)個人ユーザが同一の公開鍵を長期間使用する場合」、及び、「(2)個人ユーザが同一の公開鍵を1回だけ使用する場合」のいずれの場合においても、次の支払先の店舗Un+1から見て、当該公開鍵(pkUn)で取引された複数の店舗(仮名)が、対象取引の複数の通貨データから同時に分かる。特に(1)の場合、よく使う店舗に、当該個人ユーザの利用する他店舗(仮名)の情報が収集される可能性がある。 In the above scenario, in both cases (1) "when an individual user uses the same public key for a long period of time" and (2) "when an individual user uses the same public key only once," the next payment destination store Un+1 can simultaneously determine the multiple stores (pseudonyms) that were traded with that public key (pkUn) from the multiple currency data of the target transaction. In particular, in the case of (1), there is a possibility that a frequently used store may collect information about other stores (pseudonyms) used by the individual user.

 例1と同様に、本実施の形態では、店舗(及び個人ユーザ)の公開鍵を仮名とするとともに、個人ユーザ及び店舗それぞれの公開鍵を定期的に更新することとして、通貨データを個人の絞り込み(=疑似IDの考え方に相当)に利用できる可能性を低くしている。 As in Example 1, in this embodiment, the public keys of the store (and individual user) are pseudonyms, and the public keys of the individual users and stores are updated periodically, reducing the possibility that currency data can be used to narrow down individuals (corresponding to the idea of a pseudo-ID).

 <例3>
 例3では、例1と同様に、現在の通貨所有者(=pkUnを公開鍵として有する利用者端末30)は、図1に示す通貨データを保持する。 <Example 3>
In Example 3, similarly to Example 1, the current currency owner (=user terminal 30 having pkUn as the public key) holds the currency data shown in FIG.

 例1と同様に、現在の通貨所有者が個人ユーザであるとする。1つ前の通貨所有者は、店舗である場合もあるし、個人ユーザである場合もある。 As in Example 1, assume that the current currency owner is an individual user. The previous currency owner may be a store or an individual user.

 例3では、1つ前の通貨所有者は店舗であるとする。当該店舗は誤って、公開鍵を店舗の"実名"で公開する可能性がある。また、当該店舗は誤って、当該店舗の公開鍵を長期間同じにする可能性がある。 In Example 3, the previous currency owner is a store. The store may mistakenly publish a public key under the store's "real name." The store may also mistakenly keep its public key the same for a long period of time.

 上記の誤りが生じた場合、図1の通貨データにより、現在の通貨所有者である個人ユーザが利用する店舗の実名が露呈する。 If the above error occurs, the currency data in Figure 1 will reveal the real names of the stores used by the individual user who is the current currency owner.

 上記のような想定において、「(1)個人ユーザが同一の公開鍵を長期間使用する場合」には、下記の問題が発生する可能性がある。 In the above scenario, if an individual user uses the same public key for a long period of time, the following problems may occur.

 複数の店舗(実名)および銀行(実名)の取引履歴が、当該個人ユーザの公開鍵(例えば図1のpkUn)に紐づいたデータとして収集され得る。言い換えると、当該公開鍵で取引がなされた店舗(実名)が、通貨データを集めることで上記取引履歴が分かってしまう。このように収集されたデータを、個人に関するデータセットと捉えると、発行銀行では全DB(全データセット)を保有し、市場は一部DB(一部のデータセット)を保有していると言える。特に(1)の場合、本データセットが個人の絞り込みに利用される可能性がある(=疑似IDの考え方に相当)。 The transaction history of multiple stores (real names) and banks (real names) can be collected as data linked to the public key of the individual user (e.g., pkUn in Figure 1). In other words, the store (real name) where the transaction was conducted using the public key can determine the transaction history by collecting currency data. If the data collected in this way is considered a data set related to an individual, it can be said that the issuing bank holds the entire DB (full data set) and the market holds a partial DB (partial data set). In particular, in the case of (1), this data set can be used to narrow down the individual (= equivalent to the idea of a pseudo-ID).

 上記の問題を回避するために、本実施の形態では、店舗(及び個人ユーザ)の公開鍵は仮名とするとともに、店舗の公開鍵及び個人ユーザの公開鍵をそれぞれ定期的に更新することしている。これにより、通貨データを個人の絞り込み(=疑似IDの考え方に相当)に利用できる可能性を低くできる。 To avoid the above problems, in this embodiment, the public keys of stores (and individual users) are pseudonyms, and the store's public keys and the individual user's public keys are updated periodically. This reduces the possibility that currency data can be used to narrow down individuals (corresponding to the idea of pseudo-IDs).

 上記の定期的な更新の一例として、個人ユーザ(及び店舗)が、同一の公開鍵を1回だけ使用することとしてもよい。つまり、利用者端末30は、1回だけ公開鍵(あるいは公開鍵の組となる秘密鍵)を使用したら当該公開鍵をそれ以降使用せず、新たな公開鍵を生成し、次回はその新たな公開鍵を使用する。 As an example of the periodic updates mentioned above, an individual user (and a store) may use the same public key only once. In other words, once the user terminal 30 has used a public key (or a private key that is a pair of the public key) once, it will no longer use that public key, but will instead generate a new public key and use that new public key next time.

 「(2)個人ユーザが同一の公開鍵を1回だけ使用する場合」には、公開鍵を個人の絞り込みに利用できる可能性はなくなる。ただし、同一の公開鍵は1回だけしか使用できないとすると、運用上の負荷(証明書発行等)は大きくなる。 In the case of "(2) when an individual user uses the same public key only once," there is no possibility that the public key can be used to narrow down individuals. However, if the same public key can only be used once, the operational burden (issuing certificates, etc.) will be large.

 <例4>
 例4では、例2と同様に、図2に示すとおり、同一取引で複数の通貨データが使用される。ここでは、公開鍵としてpkUnを持つ個人ユーザが、現在の通貨所有者であり、2つの通貨の所有者であるとする。当該個人ユーザUnの次の支払先の店舗がUn+1であるとする。 <Example 4>
In Example 4, similar to Example 2, multiple currency data are used in the same transaction as shown in Fig. 2. Here, an individual user having a public key pkUn is assumed to be the current currency owner and the owner of two currencies. The next payment destination store for individual user Un is assumed to be Un+1.

 例4では、1つ前の複数の通貨所有者は、複数の店舗であるとする。当該複数の店舗は誤って、公開鍵を店舗の"実名"で公開する可能性がある。また、当該複数の店舗は誤って、公開鍵を長期間同じにする可能性がある。 In Example 4, the previous multiple currency owners are multiple stores. The multiple stores may mistakenly publish public keys under the "real" names of the stores. Also, the multiple stores may mistakenly keep the public keys the same for a long period of time.

 上記の誤りが生じた場合、図2の通貨データにより、現在の通貨所有者である個人ユーザが利用する複数の店舗の実名が同時に露呈する。 If the above error occurs, the currency data in Figure 2 will simultaneously reveal the real names of multiple stores used by the individual user who is the current currency owner.

 上記のような想定において、「(1)個人ユーザが同一の公開鍵を長期間使用する場合」、及び、「(2)個人ユーザが同一の公開鍵を1回だけ使用する場合」のいずれの場合においても、次の支払先の店舗Un+1から見て、当該公開鍵(pkUn)で取引された複数の店舗(実名)が、対象取引の複数通貨データから同時に分かる。特に(1)の場合、よく使う店舗に、当該個人ユーザの利用する他店舗(実名)の情報が収集される可能性がある。(1)(2)のいずれの場合も、リスクの多寡は有るが、個人の絞り込みに利用される可能性がある(=疑似IDの考え方に相当)。 In the above scenario, in both cases (1) "when an individual user uses the same public key for a long period of time" and (2) "when an individual user uses the same public key only once," the multiple stores (real names) that were traded with that public key (pkUn) can be simultaneously determined from the multi-currency data of the target transaction from the perspective of the next payment destination store Un+1. In particular, in the case of (1), there is a possibility that information on other stores (real names) used by the individual user may be collected by frequently used stores. In both cases (1) and (2), although there are differences in risk, there is a possibility that this information may be used to narrow down individuals (= equivalent to the idea of pseudo-ID).

 そこで、本実施の形態では、店舗及び個人ユーザの公開鍵を仮名とするとともに、個人ユーザ及び店舗それぞれの公開鍵を定期的に更新することとしているので、通貨データを個人の絞り込み(=疑似IDの考え方に相当)に利用できる可能性を低くしている。 In this embodiment, the public keys of stores and individual users are pseudonyms, and the public keys of individual users and stores are updated periodically, reducing the possibility that currency data can be used to narrow down individuals (corresponding to the idea of a pseudo-ID).

 <プライバシ保護についてのまとめ>
 以上、例1~例4を用いて説明したとおり、本実施の形態では、店舗にとって顧客である個人ユーザのプライバシ保護のために、個人ユーザ及び店舗それぞれの公開鍵を仮名とするとともに、繰り返し利用に制約を設ける。 <Summary of privacy protection>
As explained above using Examples 1 to 4, in this embodiment, in order to protect the privacy of individual users who are customers of stores, the public keys of the individual users and the stores are given pseudonyms and restrictions are placed on repeated use.

 具体的には、個人ユーザ及び店舗それぞれの公開鍵の使用期間を運用上で差し支えない程度に短く設定する。また、特に店舗の公開鍵については、更新を、端末上のセキュアハードウェア(TEE,SE)等により強制することを可能としている。特に機微な(センシティブな)店舗では公開鍵の使用を一回限りとすることが望ましい。なお、セキュアハードウェアを用いて公開鍵の更新を行うことや、1回限りの使用とすることは、個人ユーザに対しても適用してよい。 Specifically, the usage period of the public keys of individual users and stores is set to be short enough that it does not interfere with operations. In particular, for stores' public keys, it is possible to force updates using secure hardware (TEE, SE) on the terminal. In particularly sensitive stores, it is desirable to limit public keys to one-time use only. Note that using secure hardware to update public keys and limiting use to one-time use may also be applied to individual users.

 また、本実施の形態では、後述するように、NNL木方式(変動額面方式)を使用して、1取引に利用される通貨枚数を低減することとしている。これにより、複数の店舗から受け取った通貨が単一取引に混ざり難くなるので、個人ユーザの公開鍵に紐づく店舗情報を少なく出来る。その結果、プライバシ保護の効果を高めることができる。 In addition, in this embodiment, as described below, the NNL tree method (variable face value method) is used to reduce the number of currency notes used in one transaction. This makes it less likely that currency received from multiple stores will be mixed into a single transaction, making it possible to reduce the amount of store information linked to an individual user's public key. As a result, the effectiveness of privacy protection can be improved.

 (第1実施形態の概要:NNL木方式について)
 上述したNNL木方式について説明する。本実施の形態において、通貨の金額は、最小単位(例えば、1円)の集合として表現される。最小単位未満への通貨の分解は許容されない。最小単位が1円であれば、1円単位の固定額面方式を採用することで、(実質的に)変動額面方式(トークンの分割)を実現する。 (Overview of the first embodiment: NNL tree method)
The above-mentioned NNL tree method will be described. In this embodiment, the amount of currency is expressed as a set of the smallest unit (for example, 1 yen). Decomposition of currency into units smaller than the smallest unit is not permitted. If the smallest unit is 1 yen, a fixed face value method in 1 yen units is adopted to (effectively) realize a variable face value method (token division).

 各通貨の真正性を保証するため、上記したように各通貨には発行銀行のサーバによる署名が付加される。1円の集合で通貨を表現する場合、例えば、10000円の発行の際には、10000回の署名が行われる必要がある。この場合、発行時・支払時などの署名生成及び検証コストが非現実的となる。そこで、本実施の形態では、最小単位(1円)をLeaf(葉ノード)とする1つの木構造で1つの通貨の金額を表現することで、発行時・支払時などの署名生成及び検証回数を1回とする。 To guarantee the authenticity of each currency, a signature is added to each currency by the issuing bank's server as described above. If currency is represented by a collection of 1 yen coins, for example, 10,000 signatures must be made when issuing 10,000 yen. In this case, the cost of generating and verifying signatures at the time of issuance and payment becomes unrealistic. Therefore, in this embodiment, the amount of one currency is represented by a single tree structure with the smallest unit (1 yen) as the leaf node, so that signatures are generated and verified only once at the time of issuance and payment.

 本実施の形態では、斯かる木構造としてNNL木(参考文献[1])を採用し、発行時も署名を1回に、かつ、データサイズを非線形に圧縮する。 In this embodiment, an NNL tree (reference [1]) is used as such a tree structure, and when issuing a signature, the signature is issued only once, and the data size is compressed nonlinearly.

 図3は、NNL木を説明するための図である。図1では、Seed(シード)としてのID(図3ではnビットの乱数)に対して、入力された乱数から2倍の長さの乱数を生成する疑似乱数生成器G:{0,1}→{0,1}2nを適用して、2nビットのIDを生成する。その2nビットの前半のnビットと後半のnビットとのそれぞれに対して疑似乱数生成器Gを適用することで更に2nビットの乱数を生成し、合計で4つのnビットのID(乱数)が生成される例が示されている。 Fig. 3 is a diagram for explaining an NNL tree. In Fig. 1, a pseudorandom number generator G: {0,1} n → {0,1} 2n that generates a random number twice as long as an input random number is applied to an ID (n-bit random number in Fig. 3) as a seed to generate a 2n-bit ID. An example is shown in which a pseudorandom number generator G is applied to the first n bits and the second n bits of the 2n bits to generate further 2n-bit random numbers, generating a total of four n-bit IDs (random numbers).

 NNL木よれば、Seedさえ分かれば誰でも4つのIDを求めることができるため、4つのID(4nビット)の情報をnビットの情報(Seed)のみで伝達可能となる。 According to the NNL tree, anyone can find the four IDs as long as they know the Seed, so the information for the four IDs (4n bits) can be transmitted using only n bits of information (Seed).

 なお、図3では、葉ノードが4つである例を示したが、NNL木の深さは特定のものに限定されない。 Note that while Figure 3 shows an example with four leaf nodes, the depth of the NNL tree is not limited to any particular value.

 図4は、本実施の形態における通貨に対するNNL木の適用方法を説明するための図である。 Figure 4 is a diagram to explain how to apply an NNL tree to currency in this embodiment.

 上記したように、本実施の形態において、通貨の金額はNNL木によって表現される。具体的には、NNL木の葉ノードが最小単位(例えば、1円)に対応し、或るNNL木に属する葉ノードの数によって当該NNL木に対応する通貨の金額が決まる。但し、このままでは、NNL木が2分木であることを前提とした場合、2の冪乗での金額しか表現できない。そこで、通貨に対応する葉ノードを指定可能とする。具体的には、NNL木の全葉ノードのうち、通貨に対応する葉ノードの範囲を示す情報を指定可能とすることで、当該NNL木に対応する通貨が、当該範囲に含まれる全葉ノードの数×1円であることを表現可能とする。本実施の形態では、斯かる範囲を示す情報として当該範囲の開始点及び終了点が用いられる例を示す。開始点とは、当該範囲の開始位置となる葉ノードをいう。終了点とは、当該範囲の終了位置となる葉ノードをいう。開始点及び終了点のいずれか一方は、葉ノードの並び順において端(最初又は最後)の葉ノードであるとする。但し、当該範囲を示す情報は開始点及び終了点に限られない。例えば、当該範囲に属する全ての葉ノードが指定されてもよいし、開始点と当該範囲の大きさ(つまり、金額)又は終了点と当該範囲の大きさが指定されてもよい。 As described above, in this embodiment, the amount of currency is represented by an NNL tree. Specifically, the leaf node of the NNL tree corresponds to the smallest unit (for example, 1 yen), and the amount of currency corresponding to a certain NNL tree is determined by the number of leaf nodes belonging to that NNL tree. However, if it is assumed that the NNL tree is a binary tree, in this state, only amounts in powers of 2 can be expressed. Therefore, it is made possible to specify the leaf node corresponding to the currency. Specifically, by making it possible to specify information indicating the range of leaf nodes corresponding to the currency among all leaf nodes of the NNL tree, it is possible to express that the currency corresponding to the NNL tree is the number of all leaf nodes included in the range × 1 yen. In this embodiment, an example is shown in which the start point and end point of the range are used as information indicating such a range. The start point refers to the leaf node that is the start position of the range. The end point refers to the leaf node that is the end position of the range. It is assumed that either the start point or the end point is the leaf node at the end (first or last) in the order of the leaf nodes. However, the information indicating the range is not limited to the start point and end point. For example, all leaf nodes that belong to the range may be specified, or the start point and the size of the range (i.e., the amount) or the end point and the size of the range may be specified.

 例えば、深さが10である2分木のNNL木であれば、葉ノードの数は1024個である。1000円を表現したいのであれば、例えば、開始点を1とし、終了点を1000と指定すればよい。 For example, if you have a binary NNL tree with a depth of 10, the number of leaf nodes is 1024. If you want to represent 1000 yen, you can specify the start point as 1 and the end point as 1000.

 また、上記したように、NNL木は、Seedと深さが分かれば、誰でも全ての葉ノードを導出することができる。そこで、本実施の形態では、1つの通貨の金額を4つのパラメータの組によって表現する。 Also, as mentioned above, anyone can derive all the leaf nodes of an NNL tree if they know the seed and depth. Therefore, in this embodiment, the amount of one currency is represented by a set of four parameters.

 {NNL木のSeed、当該NNL木の深さ、開始点、終了点}
 以下、これら4つのパラメータの組を「通貨ID」という。 {Seed of NNL tree, depth of the NNL tree, start point, end point}
Hereinafter, the set of these four parameters will be referred to as a "currency ID."

 通貨に対する署名(例えば、発行元又は分割元による署名)は、当該通貨に対応するNNL木のSeed単位で行うことで実現される。したがって、署名の数を通貨の最小単位(例えば、1円)ごとではなく、通貨(NNL木)の数ごととすることができる。 Signatures for currencies (e.g., signatures by the issuer or splitter) are realized by signing in units of seeds in the NNL tree corresponding to the currency. Therefore, the number of signatures can be determined per number of currencies (NNL trees) rather than per smallest unit of the currency (e.g., 1 yen).

 例えば、図4のNNL木の開始点がID1、終了点がID8である場合、当該NNL木は8円を表現する。この8円から、ID1~ID4までの4円を分割したい場合、例えば、ID1~ID4までの全ての祖先ノードであるノードn1に対応するID(乱数)が分割後の4円に対応する部分木(NNL木)のルートノードとなる。したがって、この場合、分割後の4円の通貨の通貨IDは以下のようになる。
{01110…1,2,ID1,ID4}
 分割後の部分木のルートノードのSeedを計算しておくことで、その後における当該部分木の各ノードに対応する乱数の計算回数を削減することができる。この場合、発行銀行によって発行された通貨(後述のT)には署名の履歴に基づいて辿ることができる。 For example, if the start point of the NNL tree in Figure 4 is ID1 and the end point is ID8, the NNL tree represents 8 yen. If you want to split 4 yen from ID1 to ID4 from this 8 yen, for example, the ID (random number) corresponding to node n1, which is the ancestor node of all of ID1 to ID4, becomes the root node of the subtree (NNL tree) corresponding to the 4 yen after the split. Therefore, in this case, the currency ID of the 4 yen currency after the split will be as follows:
{01110...1,2,ID1,ID4}
By calculating the seed of the root node of the subtree after division, the number of times to calculate random numbers corresponding to each node of the subtree can be reduced. In this case, the currency issued by the issuing bank (T 0 described later) can be traced based on the signature history.

 但し、分割元のNNL木のルートノードを分割後のNNL木のルートノードとしてもよい。この場合、分割後の4円の通貨の通貨IDは以下のようになる。
{01010…1,3,ID1,ID4}
 この場合、発行銀行によって発行された通貨(後述のT)まで辿って検証するための計算効率が良いという利点が有る。 However, the root node of the original NNL tree may be the root node of the NNL tree after division. In this case, the currency ID of the 4 yen currency after division will be as follows:
{01010...1,3,ID1,ID4}
In this case, there is an advantage that the calculation efficiency for verifying by tracing back to the currency issued by the issuing bank (T 0 described later) is good.

 なお、図4には、便宜上、各ノードに対応する乱数が示されているが、各ノードに対応する乱数は、通貨(NNL木)の分割が行われるまでは管理されなくてよい。換言すれば、分割の際に分割元のNNL木のSeedから、分割後のSeedの乱数が計算されればよい。 Note that for convenience, Figure 4 shows random numbers corresponding to each node, but the random numbers corresponding to each node do not need to be managed until the currency (NNL tree) is split. In other words, when splitting, the random number of the seed after splitting can be calculated from the seed of the original NNL tree.

 また、NNL木は2分木に限られず、2,5,10分木でもよい。2分岐/5分岐・・・と繰り返せば、日常の現金に近い5000円/1000円等に葉ノードの数が完全に一致するNNL木を生成することができる。この場合、5分岐の箇所では疑似乱数生成器G:{0,1}→{0,1}5nを使用し、10分岐の箇所では疑似乱数生成器G10:{0,1}→{0,1}10nを使用すればよい。 Furthermore, the NNL tree is not limited to a binary tree, and may be a 2-, 5-, or 10-ary tree. By repeating 2-branch/5-branch..., it is possible to generate an NNL tree whose number of leaf nodes exactly matches that of 5,000 yen/1,000 yen, which are close to everyday cash. In this case, a pseudorandom number generator G5 : {0,1} n →{0,1} 5n is used at the 5-branch location, and a pseudorandom number generator G10 : {0,1} n →{0,1} 10n is used at the 10-branch location.

 以下、第1実施形態に係る構成と動作を説明する。 The configuration and operation of the first embodiment are described below.

 (第1実施形態の詳細)
 図5は、電子通貨システムのシステム構成の一例を示す図である。第1実施形態に係る電子通貨システム1は、発行銀行サーバ10と、ルート認証局サーバ11と、金融機関サーバ20と、中間認証局サーバ25と、利用者端末30と、を備える。これらの各装置は、インターネット等の通信ネットワークを介して、互いに通信可能に接続されている。 (Details of the First Embodiment)
5 is a diagram showing an example of the system configuration of the electronic currency system. The electronic currency system 1 according to the first embodiment includes an issuing bank server 10, a root certificate authority server 11, a financial institution server 20, an intermediate certificate authority server 25, and a user terminal 30. These devices are connected to each other so as to be able to communicate with each other via a communication network such as the Internet.

 発行銀行サーバ10は、通貨を発行する発行銀行が管理する情報処理装置である。発行銀行サーバ10は、通貨の発行を示すメッセージデータに署名データを付加して金融機関サーバ20に送信する。他に、発行銀行サーバ10は、金融機関サーバ20からの還収の要求を受け付ける機能を有する。 The issuing bank server 10 is an information processing device managed by the issuing bank that issues the currency. The issuing bank server 10 adds signature data to message data indicating the issuance of the currency and transmits it to the financial institution server 20. In addition, the issuing bank server 10 has a function of accepting a withdrawal request from the financial institution server 20.

 ルート認証局サーバ11は、暗号通信におけるルート認証局の機能を有する情報処理装置である。ルート認証局サーバ11は、発行銀行サーバ10と同一のハードウェアによって実現されても良く、発行銀行によって管理されることを想定するが、それに限られない。 The root certification authority server 11 is an information processing device that has the functionality of a root certification authority in cryptographic communication. The root certification authority server 11 may be realized by the same hardware as the issuing bank server 10, and is assumed to be managed by the issuing bank, but is not limited to this.

 ルート認証局サーバ11は、通貨の発行の準備段階として、ルート認証鍵を生成してルート証明書を発行し、中間認証局サーバ12に送信する。また、ルート認証局サーバ11は、各金融機関を認証し、金融機関公開鍵証明書発行情報を生成し、生成された金融機関公開鍵証明書発行情報を発行銀行サーバ10に送信する。 As a preparation step for issuing currency, the root certification authority server 11 generates a root certification key, issues a root certificate, and sends it to the intermediate certification authority server 12. The root certification authority server 11 also authenticates each financial institution, generates financial institution public key certificate issuance information, and sends the generated financial institution public key certificate issuance information to the issuing bank server 10.

 金融機関サーバ20は、金融機関(例えば市中銀行)が管理する情報処理装置である。金融機関サーバ20は、ルート認証局サーバ11による認証を受けて、発行銀行サーバ10から通貨の発行を受け付ける。 The financial institution server 20 is an information processing device managed by a financial institution (e.g., a commercial bank). The financial institution server 20 is authenticated by the root certification authority server 11 and accepts the issuance of currency from the issuing bank server 10.

 また、金融機関サーバ20は、利用者端末30から、引出、両替、預入、与信などの取引の要求を受け付ける。さらに、金融機関サーバ20は、発行銀行サーバ10に還収を要求する。 The financial institution server 20 also accepts requests for transactions such as withdrawals, currency exchange, deposits, and credit from the user terminal 30. Furthermore, the financial institution server 20 requests refunds from the issuing bank server 10.

 なお、以下の説明において各金融機関サーバ20を区別する時は、各金融機関サーバ20を金融機関サーバ20-1、金融機関サーバ20-2等のように記載する。 In the following description, when distinguishing between the financial institution servers 20, the financial institution servers 20 will be referred to as financial institution server 20-1, financial institution server 20-2, etc.

 中間認証局サーバ25は、暗号通信における中間認証局の機能を有する情報処理装置である。中間認証局サーバ25は、金融機関サーバ20と同一のハードウェアによって実現されても良く、金融機関によって管理されることを想定するが、それに限られない。 The intermediate certification authority server 25 is an information processing device that has the function of an intermediate certification authority in cryptographic communication. The intermediate certification authority server 25 may be realized by the same hardware as the financial institution server 20, and is assumed to be managed by the financial institution, but is not limited to this.

 中間認証局サーバ25は、通貨の発行の準備段階として、中間認証鍵を生成して中間証明書を発行し、利用者端末30に送信する。また、中間認証局サーバ25は、各利用者を認証し、利用者公開鍵証明書発行情報を生成する。 As a preparation step for issuing currency, the intermediate certification authority server 25 generates an intermediate authentication key, issues an intermediate certificate, and transmits it to the user terminal 30. The intermediate certification authority server 25 also authenticates each user and generates user public key certificate issuance information.

 なお、以下の説明において各中間認証局サーバ25を区別する時は、各中間認証局サーバ25を中間認証局サーバ25-1、中間認証局サーバ25-2等のように記載する。 In the following description, when distinguishing between the intermediate certification authority servers 25, the intermediate certification authority servers 25 will be referred to as intermediate certification authority server 25-1, intermediate certification authority server 25-2, etc.

 利用者端末30は、通貨を利用する利用者(個人消費者、店舗等)が利用する情報処理装置である。利用者端末30は、取引を開始する前に、中間認証局サーバ25による認証を受ける。また、利用者端末30は、引出、両替、預入、与信などの取引を金融機関サーバ20に要求する。 The user terminal 30 is an information processing device used by users (individual consumers, stores, etc.) who use currency. Before starting a transaction, the user terminal 30 is authenticated by the intermediate authentication authority server 25. In addition, the user terminal 30 requests transactions such as withdrawals, currency exchanges, deposits, and credit from the financial institution server 20.

 なお、以下の説明において各利用者端末30を区別する時は、各利用者端末30を利用者端末30-1、利用者端末30-2等のように記載する。 In the following description, when distinguishing between the user terminals 30, the user terminals 30 will be referred to as user terminal 30-1, user terminal 30-2, etc.

 利用者端末30(例えば利用者端末30-1)は、他の利用者端末30(例えば利用者端末30-2)に支払を要求したり、支払の要求を受け付けたりする。ここで、支払の要求とは、利用者が相手方に支払う「支払」取引の実行を受け付けるように要求することであり、相手方に利用者への支払いを要求することではない。 A user terminal 30 (e.g., user terminal 30-1) requests payment from another user terminal 30 (e.g., user terminal 30-2) and accepts a payment request. Here, a payment request is a request to accept the execution of a "payment" transaction in which the user makes payment to the other party, and is not a request for the other party to make payment to the user.

 (第1実施形態に係る各装置の機能構成例)
 次に、第1実施形態に係る各装置の機能構成例について説明する。 (Example of functional configuration of each device according to the first embodiment)
Next, an example of the functional configuration of each device according to the first embodiment will be described.

 図6は、発行銀行サーバの機能構成図である。発行銀行サーバ10は、通貨発行鍵生成部101と、通貨発行証明書発行部102と、金融機関公開鍵証明書発行情報取得部103と、通貨発行部104と、還収受付部105と、通貨発行鍵記憶部106と、還収済通貨記憶部107と、を備える。 FIG. 6 is a functional block diagram of the issuing bank server. The issuing bank server 10 includes a currency issuance key generation unit 101, a currency issuance certificate issuance unit 102, a financial institution public key certificate issuance information acquisition unit 103, a currency issuing unit 104, a refund acceptance unit 105, a currency issuance key storage unit 106, and a refunded currency storage unit 107.

 通貨発行鍵生成部101は、通貨の発行を示すメッセージデータ(以下、通貨発行メッセージという)の正当性を保証するための暗号鍵データ(以下、通貨発行鍵という)を生成する。通貨発行鍵は、秘密鍵と公開鍵とを含む。 The currency issuance key generation unit 101 generates cryptographic key data (hereafter referred to as the currency issuance key) for guaranteeing the validity of message data indicating the issuance of currency (hereafter referred to as the currency issuance message). The currency issuance key includes a private key and a public key.

 通貨発行証明書発行部102は、通貨発行鍵の公開鍵を証明するための証明書を示すデータ(以下、通貨発行証明書という)を生成して、生成された通貨発行証明書を各金融機関サーバ20および各利用者端末30に送信する。 The currency issuance certificate issuing unit 102 generates data indicating a certificate for certifying the public key of the currency issuance key (hereinafter referred to as the currency issuance certificate), and transmits the generated currency issuance certificate to each financial institution server 20 and each user terminal 30.

 金融機関公開鍵証明書発行情報取得部103は、ルート認証局サーバ11から金融機関公開鍵証明書発行情報を取得する。金融機関公開鍵証明書発行情報については、後述する。 The financial institution public key certificate issuance information acquisition unit 103 acquires financial institution public key certificate issuance information from the root certification authority server 11. The financial institution public key certificate issuance information will be described later.

 通貨発行部104は、通貨発行鍵および金融機関公開鍵証明書発行情報を使用して、通貨発行メッセージを生成し、生成した通貨発行メッセージを金融機関サーバ20に送信する。 The currency issuance unit 104 uses the currency issuance key and the financial institution public key certificate issuance information to generate a currency issuance message and transmits the generated currency issuance message to the financial institution server 20.

 還収受付部105は、金融機関サーバ20から還収を受け付けて、還収済通貨記憶部107に還収された通貨を格納する。還収とは、各金融機関が当面使用しない通貨を発行銀行に預け入れて、流通に戻す取引である。 The refund receiving unit 105 receives refunds from the financial institution server 20 and stores the refunded currency in the refunded currency storage unit 107. A refund is a transaction in which each financial institution deposits currency that it will not be using for the time being with the issuing bank, returning it to circulation.

 通貨発行鍵記憶部106は、通貨発行鍵生成部101によって生成された通貨発行鍵を記憶する。 The currency issuance key storage unit 106 stores the currency issuance key generated by the currency issuance key generation unit 101.

 還収済通貨記憶部107は、還収受付部105が還収を受け付けた通貨(以下、還収済通貨という)を記憶する。 The refunded currency storage unit 107 stores the currency that has been accepted for refund by the refund acceptance unit 105 (hereinafter referred to as refunded currency).

 図7は、ルート認証局サーバの機能構成図である。ルート認証局サーバ11は、ルート認証鍵生成部111と、ルート証明書発行部112と、金融機関認証部113と、金融機関公開鍵証明書発行情報送信部114と、ルート認証鍵記憶部115と、金融機関公開鍵証明書発行情報記憶部116と、を備える。 FIG. 7 is a functional block diagram of the root certification authority server. The root certification authority server 11 includes a root certification key generation unit 111, a root certificate issuance unit 112, a financial institution authentication unit 113, a financial institution public key certificate issuance information transmission unit 114, a root certification key storage unit 115, and a financial institution public key certificate issuance information storage unit 116.

 ルート認証鍵生成部111は、ルート認証局の正当性を保証するための暗号鍵データ(以下、ルート証明鍵という)を生成する。ルート証明鍵は、秘密鍵と公開鍵とを含む。 The root authentication key generation unit 111 generates cryptographic key data (hereinafter referred to as the root certification key) for verifying the legitimacy of the root certification authority. The root certification key includes a private key and a public key.

 ルート証明書発行部112は、中間認証局の正当性を保証するための証明書データ(以下、中間証明書)の正当性を保証するための証明書データ(以下、ルート証明書という)を発行して、各中間認証局サーバ25に送信する。 The root certificate issuing unit 112 issues certificate data (hereafter referred to as a root certificate) for verifying the validity of certificate data (hereafter referred to as an intermediate certificate) for verifying the validity of an intermediate certification authority, and transmits it to each intermediate certification authority server 25.

 金融機関認証部113は、金融機関サーバ20から各金融機関の正当性を保証するための暗号鍵データ(以下、金融機関鍵という)を受信して、認証の要求を受け付ける。そして、金融機関認証部113は、金融機関鍵の公開鍵を証明するための証明書を示すデータ(以下、金融機関公開鍵証明書という)を生成し、生成された金融機関公開鍵証明書を、認証を要求した金融機関サーバ20に送信する。さらに、金融機関認証部113は、金融機関公開鍵証明書の発行を示す情報(以下、金融機関公開鍵証明書発行情報という)を、生成する。 The financial institution authentication unit 113 receives encryption key data (hereinafter referred to as the financial institution key) for guaranteeing the legitimacy of each financial institution from the financial institution server 20 and accepts an authentication request. The financial institution authentication unit 113 then generates data indicating a certificate for certifying the public key of the financial institution key (hereinafter referred to as the financial institution public key certificate) and transmits the generated financial institution public key certificate to the financial institution server 20 that requested authentication. Furthermore, the financial institution authentication unit 113 generates information indicating the issuance of the financial institution public key certificate (hereinafter referred to as the financial institution public key certificate issuance information).

 金融機関公開鍵証明書発行情報送信部114は、生成された金融機関公開鍵証明書発行情報を、発行銀行サーバ10に送信する。なお、発行銀行サーバ10とルート認証局サーバ11とが同一のハードウェアによって実現される場合には、金融機関公開鍵証明書発行情報送信部114は不要である。 The financial institution public key certificate issuance information transmission unit 114 transmits the generated financial institution public key certificate issuance information to the issuing bank server 10. Note that if the issuing bank server 10 and the root certification authority server 11 are realized by the same hardware, the financial institution public key certificate issuance information transmission unit 114 is not necessary.

 ルート認証鍵記憶部115は、ルート認証鍵生成部111によって生成されたルート認証鍵を記憶する。 The root authentication key storage unit 115 stores the root authentication key generated by the root authentication key generation unit 111.

 金融機関公開鍵証明書発行情報記憶部116は、金融機関認証部113によって生成された金融機関公開鍵証明書発行情報を記憶する。 The financial institution public key certificate issuance information storage unit 116 stores the financial institution public key certificate issuance information generated by the financial institution authentication unit 113.

 図8は、金融機関サーバの機能構成図である。金融機関サーバ20は、通貨発行証明書発行受付部201と、金融機関鍵生成部202と、金融機関認証要求部203と、通貨発行受付部204と、引出受付部205と、更新処理部206と、両替・預入受付部207と、支払要求部208と、支払受付部209と、与信受付部210と、還収要求部211と、通貨発行証明書記憶部212と、金融機関鍵記憶部213と、金融機関公開鍵証明書記憶部214と、未使用通貨記憶部215と、使用中通貨記憶部216と、更新済通貨記憶部217と、使用済通貨記憶部218と、を備える。 FIG. 8 is a functional block diagram of the financial institution server. The financial institution server 20 comprises a currency issuance certificate issuance reception unit 201, a financial institution key generation unit 202, a financial institution authentication request unit 203, a currency issuance reception unit 204, a withdrawal reception unit 205, an update processing unit 206, an exchange and deposit reception unit 207, a payment request unit 208, a payment reception unit 209, a credit reception unit 210, a refund request unit 211, a currency issuance certificate memory unit 212, a financial institution key memory unit 213, a financial institution public key certificate memory unit 214, an unused currency memory unit 215, a currency in use memory unit 216, an updated currency memory unit 217, and a used currency memory unit 218.

 通貨発行証明書発行受付部201は、発行銀行サーバ10から通貨発行証明書の発行を受け付ける。 The currency issuance certificate issuance reception unit 201 receives the issuance of a currency issuance certificate from the issuing bank server 10.

 金融機関鍵生成部202は、金融機関鍵を生成する。金融機関鍵は、秘密鍵と公開鍵とを含む。 The financial institution key generation unit 202 generates a financial institution key. The financial institution key includes a private key and a public key.

 金融機関認証要求部203は、ルート認証局サーバ11に、金融機関鍵を送信して金融機関の認証を要求し、ルート認証局サーバ11から金融機関公開鍵証明書を受信する。 The financial institution authentication request unit 203 sends a financial institution key to the root certification authority server 11 to request authentication of the financial institution, and receives a financial institution public key certificate from the root certification authority server 11.

 通貨発行受付部204は、発行銀行サーバ10から通貨の発行を受け付ける。具体的には、通貨発行受付部204は、発行銀行サーバ10から通貨発行メッセージを受信し、受信した通貨発行メッセージの署名を、通貨発行証明書に含まれる公開鍵を用いて検証する。 The currency issuance reception unit 204 accepts the issuance of currency from the issuing bank server 10. Specifically, the currency issuance reception unit 204 receives a currency issuance message from the issuing bank server 10, and verifies the signature of the received currency issuance message using the public key included in the currency issuance certificate.

 引出受付部205は、利用者端末30から引出の要求を受け付けて、利用者端末30に通貨を送信する。 The withdrawal reception unit 205 accepts withdrawal requests from the user terminal 30 and transmits currency to the user terminal 30.

 更新処理部206は、利用者端末30からの引出の要求に対して、必要に応じて使用済みの通貨(以下、使用済通貨という)を更新する。具体的には、更新処理部206は、使用済通貨に付加された情報(通貨付加情報)を削除する。なお、通貨付加情報は、後述する支払の取引によって付加される。引出受付部205は、未使用の通貨(以下、未使用通貨という)または更新処理部206によって更新された通貨を利用者端末30に送信する。 The update processing unit 206 updates used currency (hereinafter referred to as used currency) as necessary in response to a withdrawal request from the user terminal 30. Specifically, the update processing unit 206 deletes information (currency addition information) added to the used currency. Note that currency addition information is added by a payment transaction, which will be described later. The withdrawal acceptance unit 205 transmits unused currency (hereinafter referred to as unused currency) or the currency updated by the update processing unit 206 to the user terminal 30.

 両替・預入受付部207は、利用者端末30から両替または預入の要求を受け付ける。具体的には、両替・預入受付部207が、利用者端末30から両替の要求を受け付けると、支払受付部209が、両替する額面の支払を受け付けて、支払要求部208が、合計が両替する額面となる複数の支払いを要求する。また、両替・預入受付部207が、預入の要求を受け付けると、支払受付部209が、預け入れる額面の支払を受け付ける。 The currency exchange/deposit reception unit 207 accepts requests for currency exchange or deposits from the user terminal 30. Specifically, when the currency exchange/deposit reception unit 207 accepts a request for currency exchange from the user terminal 30, the payment reception unit 209 accepts payment of the amount to be exchanged, and the payment request unit 208 requests multiple payments that total the amount to be exchanged. In addition, when the currency exchange/deposit reception unit 207 accepts a request for a deposit, the payment reception unit 209 accepts payment of the amount to be deposited.

 与信受付部210は、利用者端末30から通貨を受信して与信の要求を受け付ける。与信受付部210は、通貨が使用中の通貨(以下、使用中通貨という)であるか否かを判定し、判定結果を利用者端末30に送信する。 The credit acceptance unit 210 receives currency from the user terminal 30 and accepts a credit request. The credit acceptance unit 210 determines whether the currency is a currency in use (hereinafter referred to as a currency in use) and transmits the determination result to the user terminal 30.

 還収要求部211は、発行銀行サーバ10に通貨を送信して、還収を要求する。 The refund request unit 211 sends the currency to the issuing bank server 10 to request a refund.

 通貨発行証明書記憶部212は、通貨発行証明書発行受付部201が発行を受け付けた通貨発行証明書を記憶する。 The currency issuance certificate storage unit 212 stores the currency issuance certificate that has been accepted for issuance by the currency issuance certificate issuance acceptance unit 201.

 金融機関鍵記憶部213は、金融機関鍵生成部202が生成した金融機関鍵を記憶する。 The financial institution key storage unit 213 stores the financial institution key generated by the financial institution key generation unit 202.

 金融機関公開鍵証明書記憶部214は、金融機関認証要求部203がルート認証局サーバ11から受信した金融機関公開鍵証明書を記憶する。 The financial institution public key certificate storage unit 214 stores the financial institution public key certificate that the financial institution authentication request unit 203 receives from the root certification authority server 11.

 未使用通貨記憶部215は、通貨発行受付部204が発行を受け付けた通貨を未使用通貨として記憶する。 The unused currency storage unit 215 stores the currency that is accepted for issuance by the currency issuance acceptance unit 204 as unused currency.

 使用中通貨記憶部216は、引出受付部205が引出を受け付けた通貨を使用中通貨として記憶する。 The currency in use memory unit 216 stores the currency for which the withdrawal acceptance unit 205 accepts a withdrawal as the currency in use.

 更新済通貨記憶部217は、更新処理部206によって更新された通貨(以下、更新済通貨という)を更新前の状態で記憶する。 The updated currency storage unit 217 stores the currency updated by the update processing unit 206 (hereinafter referred to as the updated currency) in the state before the update.

 使用済通貨記憶部218は、使用された通貨であって、使用中でない通貨を記憶する。具体的には、使用済通貨記憶部218は、両替・預入受付部207が両替または預入の要求を受け付けて、支払受付部209によって支払を受け付けて受信した通貨を、使用済通貨として記憶する。 The used currency storage unit 218 stores currency that has been used but is not currently in use. Specifically, the used currency storage unit 218 stores as used currency the currency that is received when the exchange/deposit reception unit 207 receives a request for exchange or deposit and the payment reception unit 209 receives the payment.

 図9は、中間認証局サーバの機能構成図である。中間認証局サーバ25は、中間認証鍵生成部251と、中間証明書発行部252と、利用者認証部253と、中間認証鍵記憶部254と、利用者公開鍵証明書発行情報記憶部255と、を備える。 FIG. 9 is a functional configuration diagram of the intermediate certification authority server. The intermediate certification authority server 25 includes an intermediate authentication key generation unit 251, an intermediate certificate issuance unit 252, a user authentication unit 253, an intermediate authentication key storage unit 254, and a user public key certificate issuance information storage unit 255.

 中間認証鍵生成部251は、中間認証局の正当性を保証するための暗号鍵データ(以下、中間認証鍵という)を生成する。中間認証鍵は、秘密鍵と公開鍵とを含む。 The intermediate authentication key generation unit 251 generates cryptographic key data (hereinafter referred to as intermediate authentication key) for guaranteeing the legitimacy of the intermediate certification authority. The intermediate authentication key includes a private key and a public key.

 中間証明書発行部252は、中間証明書を発行して、各利用者端末30に送信する。 The intermediate certificate issuing unit 252 issues an intermediate certificate and sends it to each user terminal 30.

 利用者認証部253は、利用者端末30から各利用者の正当性を保証するための暗号鍵データ(以下、利用者鍵という)を受信して、認証の要求を受け付ける。そして、利用者認証部253は、利用者鍵の公開鍵を証明するための証明書を示すデータ(以下、利用者公開鍵証明書という)を生成し、生成された利用者公開鍵証明書を、認証を要求した利用者端末30に送信する。さらに、利用者認証部253は、利用者公開鍵証明書の発行を示す情報(以下、利用者公開鍵証明書発行情報という)を、生成する。 The user authentication unit 253 receives encryption key data (hereinafter referred to as user key) for guaranteeing the legitimacy of each user from the user terminal 30 and accepts an authentication request. The user authentication unit 253 then generates data indicating a certificate for certifying the public key of the user key (hereinafter referred to as user public key certificate), and transmits the generated user public key certificate to the user terminal 30 that requested authentication. Furthermore, the user authentication unit 253 generates information indicating the issuance of the user public key certificate (hereinafter referred to as user public key certificate issuance information).

 中間認証鍵記憶部254は、中間認証鍵生成部251が生成した中間認証鍵を記憶する。 The intermediate authentication key storage unit 254 stores the intermediate authentication key generated by the intermediate authentication key generation unit 251.

 利用者公開鍵証明書発行情報記憶部255は、利用者認証部253が生成した利用者公開鍵証明書発行情報を記憶する。 The user public key certificate issuance information storage unit 255 stores the user public key certificate issuance information generated by the user authentication unit 253.

 図10は、利用者端末30の機能構成図である。利用者端末30は、通貨発行証明書発行受付部301と、中間証明書発行受付部302と、利用者鍵生成部303と、利用者認証要求部304と、引出要求部305と、支払要求部306と、支払受付部307と、両替・預入要求部308と、与信要求部309と、通貨発行証明書記憶部310と、中間証明書記憶部311と、利用者鍵記憶部312と、利用者公開鍵証明書記憶部313と、利用者通貨記憶部314と、を備える。 FIG. 10 is a functional block diagram of the user terminal 30. The user terminal 30 comprises a currency issuance certificate issuance acceptance unit 301, an intermediate certificate issuance acceptance unit 302, a user key generation unit 303, a user authentication request unit 304, a withdrawal request unit 305, a payment request unit 306, a payment acceptance unit 307, an exchange/deposit request unit 308, a credit request unit 309, a currency issuance certificate storage unit 310, an intermediate certificate storage unit 311, a user key storage unit 312, a user public key certificate storage unit 313, and a user currency storage unit 314.

 通貨発行証明書発行受付部301は、発行銀行サーバ10から通貨発行証明書の発行を受け付ける。 The currency issuance certificate issuance reception unit 301 receives the issuance of a currency issuance certificate from the issuing bank server 10.

 中間証明書発行受付部302は、中間認証局サーバ25から中間証明書の発行を受け付ける。 The intermediate certificate issuance reception unit 302 receives the issuance of an intermediate certificate from the intermediate certification authority server 25.

 利用者鍵生成部303は、利用者鍵を生成する。利用者鍵は、秘密鍵と公開鍵とを含む。 The user key generation unit 303 generates a user key. The user key includes a private key and a public key.

 利用者認証要求部304は、中間認証局サーバ25に、利用者鍵を送信して利用者の認証を要求し、中間認証局サーバ25から利用者公開鍵証明書を受信する。 The user authentication request unit 304 sends a user key to the intermediate certification authority server 25 to request authentication of the user, and receives a user public key certificate from the intermediate certification authority server 25.

 引出要求部305は、額面を指定して金融機関サーバ20に引出を要求する。引出要求部305は、金融機関サーバ20から引き出された通貨を受信する。 The withdrawal request unit 305 requests a withdrawal from the financial institution server 20 by specifying the face value. The withdrawal request unit 305 receives the currency withdrawn from the financial institution server 20.

 支払要求部306は、支払う通貨を送信して、金融機関サーバ20または他の利用者端末30に支払を要求する。 The payment request unit 306 transmits the currency to be paid and requests payment from the financial institution server 20 or another user terminal 30.

 支払受付部307は、支払われる通貨を受信して、金融機関サーバ20または他の利用者端末30から支払を受け付ける。 The payment acceptance unit 307 receives the currency to be paid and accepts the payment from the financial institution server 20 or another user terminal 30.

 両替・預入要求部308は、金融機関サーバ20に両替または預入を要求する。具体的には、両替・預入要求部308が両替を要求し、金融機関サーバ20が受け付けると、支払要求部306が、両替する額面の通貨を送信して、金融機関サーバ20に支払を要求し、支払受付部307が、合計が両替する額面となる複数の支払いを金融機関サーバ20から受け付ける。また、両替・預入要求部308が預入を要求し、金融機関サーバ20が受け付けると、支払要求部306が、預け入れる通貨を送信して、金融機関サーバ20に支払を要求する。 The exchange/deposit request unit 308 requests exchange or deposit from the financial institution server 20. Specifically, when the exchange/deposit request unit 308 requests exchange and the financial institution server 20 accepts it, the payment request unit 306 transmits the currency of the face value to be exchanged and requests payment from the financial institution server 20, and the payment acceptance unit 307 accepts multiple payments from the financial institution server 20 that total the face value to be exchanged. Also, when the exchange/deposit request unit 308 requests a deposit and the financial institution server 20 accepts it, the payment request unit 306 transmits the currency to be deposited and requests payment from the financial institution server 20.

 与信要求部309は、通貨を送信して金融機関サーバ20に与信を要求し、与信結果を受信する。 The credit request unit 309 transmits currency to request credit from the financial institution server 20 and receives the credit result.

 通貨発行証明書記憶部310は、通貨発行証明書発行受付部301が発行を受け付けた通貨発行証明書を記憶する。 The currency issuance certificate storage unit 310 stores the currency issuance certificate that has been accepted for issuance by the currency issuance certificate issuance acceptance unit 301.

 中間証明書記憶部311は、中間証明書発行受付部302が発行を受け付けた中間証明書を記憶する。 The intermediate certificate storage unit 311 stores intermediate certificates that have been accepted for issuance by the intermediate certificate issuance acceptance unit 302.

 利用者鍵記憶部312は、利用者鍵生成部303によって生成された利用者鍵を記憶する。 The user key storage unit 312 stores the user key generated by the user key generation unit 303.

 利用者公開鍵証明書記憶部313は、利用者認証要求部304が受信した利用者公開鍵証明書を記憶する。 The user public key certificate storage unit 313 stores the user public key certificate received by the user authentication request unit 304.

 利用者通貨記憶部314は、利用者が使用中の通貨を記憶する。具体的には、利用者通貨記憶部314は、引出要求部305が金融機関サーバ20から受信した通貨と、支払受付部307が金融機関サーバ20または他の利用者端末30から受信した通貨と、を記憶する。 The user currency storage unit 314 stores the currency being used by the user. Specifically, the user currency storage unit 314 stores the currency that the withdrawal request unit 305 receives from the financial institution server 20 and the currency that the payment acceptance unit 307 receives from the financial institution server 20 or another user terminal 30.

 (公開鍵の更新に関わる利用者端末30の構成例)
 前述したように、本実施の形態では、利用者端末30が個人ユーザのものである場合と、店舗のものである場合とのいずれの場合でも、仮名である公開鍵を例えば定期的に更新する。本実施の形態では、この更新をセキュアハードウェア(TEE、SE等)上で実行することとしている。この観点から見た利用者端末30の構成例を図11に示す。 (Example of the configuration of the user terminal 30 involved in updating the public key)
As described above, in this embodiment, the public key, which is a pseudonym, is updated, for example, periodically, regardless of whether the user terminal 30 belongs to an individual user or a store. In this embodiment, this update is performed on secure hardware (TEE, SE, etc.). An example of the configuration of the user terminal 30 from this perspective is shown in FIG. 11.

 なお、定期的に更新される公開鍵を使用して、電子通貨の流通を実行する装置は「利用者端末」と呼ばれる装置に限定されない。定期的に更新される公開鍵を使用して、電子通貨の流通を実行する装置を「通貨処理装置」と呼んでもよい。そのため、図11には、括弧内に「通貨処理装置」を記載している。 Note that a device that uses a regularly updated public key to execute the circulation of electronic currency is not limited to a device called a "user terminal." A device that uses a regularly updated public key to execute the circulation of electronic currency may be called a "currency processing device." For this reason, the "currency processing device" is written in parentheses in Figure 11.

 また、前述したとおり、プライバシ保護のための本発明に係る技術の適用範囲は、電子通貨システムに限らず、様々な情報システムを含む。そのような観点で、「通貨処理装置」を「情報処理装置」と呼んでもよい。 As mentioned above, the scope of application of the technology relating to the present invention for privacy protection is not limited to electronic currency systems, but includes various information systems. From this perspective, a "currency processing device" may also be called an "information processing device."

 図11に示すように、利用者端末30は、セキュア処理部330、及び通貨流通部340を備える。セキュア処理部330は鍵生成部320を備える。なお、通貨流通部340を情報流通部340と呼んでもよい。 As shown in FIG. 11, the user terminal 30 includes a secure processing unit 330 and a currency distribution unit 340. The secure processing unit 330 includes a key generation unit 320. The currency distribution unit 340 may also be called an information distribution unit 340.

 セキュア処理部330は、例えば、Secure Element、あるいはTrustZone(登録商標)等であるが、特定の種類のものに限定されない。セキュア処理部330に保持される情報(テーブル、プログラム、データ等)は、外部から改ざんすることができない。 The secure processing unit 330 is, for example, a Secure Element or TrustZone (registered trademark), but is not limited to a specific type. Information (tables, programs, data, etc.) stored in the secure processing unit 330 cannot be tampered with from the outside.

 セキュア処理部330をセキュアハードウェアと呼んでもよい。セキュア処理部330自体は種々の従来技術を用いて実現可能である。 The secure processing unit 330 may be called secure hardware. The secure processing unit 330 itself can be realized using various conventional technologies.

 例えば、利用者端末30において、セキュア処理を要する処理部(CPU、メモリ等を含む)と、一般的な処理部(CPU、メモリ等を含む)とをハードウェアで完全に分離することで、セキュア処理を要する処理部をセキュア処理部330として実現できる。 For example, in the user terminal 30, the processing unit requiring secure processing (including a CPU, memory, etc.) can be completely separated from the general processing unit (including a CPU, memory, etc.) in hardware, so that the processing unit requiring secure processing can be realized as the secure processing unit 330.

 また、セキュア処理を要する処理部と一般的な処理部とで一部のハードウェアを共有するが、ソフトウェア的にセキュア処理を実現する処理部をセキュア処理部330と呼んでもよい。 In addition, some hardware is shared between processing units that require secure processing and general processing units, but the processing unit that realizes secure processing in software may be called the secure processing unit 330.

 鍵生成部320は、公開鍵と秘密鍵の組の生成を行うとともに、公開鍵と秘密鍵の組の更新を行う。なお、「公開鍵と秘密鍵の組の更新を行う」とは、ある公開鍵と秘密鍵の組を生成した後に、新たに公開鍵と秘密鍵の組を生成することである。鍵生成部320が生成する公開鍵は、利用者端末30の利用者(個人ユーザ、店舗等)を示す実名ではなく、仮名である。 The key generation unit 320 generates a public key and private key pair, and also updates the public key and private key pair. Note that "updating a public key and private key pair" means generating a new public key and private key pair after generating a public key and private key pair. The public key generated by the key generation unit 320 is a pseudonym, not a real name indicating the user (individual user, store, etc.) of the user terminal 30.

 より具体的には、鍵生成部320は、利用者鍵生成部303と、利用者認証要求部304と、利用者鍵記憶部312と、利用者公開鍵証明書記憶部313とを含み、公開鍵と秘密鍵の組の生成時において、後述する図12のシーケンスにおける、利用者鍵生成(S108)、利用者認証要求(S109)、及び利用者公開鍵証明書の取得(S111)を行う。また、鍵生成部320は、発行時・支払時等において、秘密鍵を用いた署名を行ってもよい。 More specifically, the key generation unit 320 includes a user key generation unit 303, a user authentication request unit 304, a user key storage unit 312, and a user public key certificate storage unit 313, and when generating a pair of a public key and a private key, performs user key generation (S108), user authentication request (S109), and acquisition of a user public key certificate (S111) in the sequence of FIG. 12 described below. The key generation unit 320 may also perform signing using the private key at the time of issuance, payment, etc.

 鍵生成部320は、例えば、ある公開鍵と秘密鍵の組を生成してから、予め定められた期間が経過した直後に、新たに公開鍵と秘密鍵の組を生成する(つまり更新を行う)。更新後は、当該新たな公開鍵と秘密鍵の組が使用される。 For example, the key generation unit 320 generates a new public key and private key pair (i.e., updates) immediately after a predetermined period of time has elapsed since generating a public key and private key pair. After updating, the new public key and private key pair is used.

 また、鍵生成部320は、例えば、ある公開鍵と秘密鍵の組を生成してから、生成した公開鍵又は秘密鍵が予め定められた回数だけ使用された直後に、新たに公開鍵と秘密鍵の組を生成する(つまり更新を行う)。更新後は、当該新たな公開鍵と秘密鍵の組が使用される。 In addition, for example, after generating a pair of public key and private key, the key generating unit 320 generates a new pair of public key and private key (i.e., updates) immediately after the generated public key or private key has been used a predetermined number of times. After updating, the new pair of public key and private key is used.

 「生成した公開鍵又は秘密鍵が使用される」とは、秘密鍵を署名に使用すること、公開鍵(あるは公開鍵を含むデータ)を他の装置に送信すること、などである。 "The generated public key or private key is used" means using the private key for signing, sending the public key (or data including the public key) to another device, etc.

 上記期間は、例えば、運用上差支えない程度に短く設定される。また、上記の回数は、運用上差支えない程度に少なく設定される。例えば、上記回数は「1」あってもよい。 The above period is set, for example, to be short enough that it does not cause any operational problems. Also, the above number of times is set to be small enough that it does not cause any operational problems. For example, the above number of times may be "1".

 また、鍵生成部320(あるいは通貨流通部340)は、支払時等における、秘密鍵を用いた署名を、ワンタイム署名(One-time signature)を用いて行ってもよい。この「ワンタイム」は、1つの秘密鍵で1つのデータにのみ署名できることを意味する。鍵生成部320は、ワンタイム署名を実行した直後に、公開鍵と秘密鍵の組の更新を行う。つまり、ワンタイム署名を用いることで、強制的な鍵の更新を行うことができる。また、2回目の署名をした時点で、不正を特定することができる。 In addition, the key generation unit 320 (or the currency circulation unit 340) may use a one-time signature to sign using a private key at the time of payment, etc. This "one-time" means that one private key can only sign one piece of data. The key generation unit 320 updates the public key and private key pair immediately after executing the one-time signature. In other words, the use of a one-time signature makes it possible to forcibly update the keys. Furthermore, fraud can be identified at the time the second signature is made.

 通貨流通部340は、鍵生成部312により生成した公開鍵を含む通貨データの流通を実行する機能を含む。当該通貨データは、公開鍵と署名との組を有するデータが複数個連結されたデータである。また、通貨流通部340は、NNL木を用いた変動額面方式により通貨の流通を実行することができる。 The currency circulation unit 340 includes a function for executing the circulation of currency data including the public key generated by the key generation unit 312. The currency data is data in which multiple pieces of data each having a pair of a public key and a signature are linked together. The currency circulation unit 340 can also execute the circulation of currency using a floating denomination method that uses an NNL tree.

 より具体的には、通貨流通部340は、通貨発行証明書発行受付部301と、中間証明書発行受付部302と、引出要求部305と、支払要求部306と、支払受付部307と、両替・預入要求部308と、与信要求部309と、通貨発行証明書記憶部310と、中間証明書記憶部311と、利用者通貨記憶部314と、を含む。 More specifically, the currency circulation unit 340 includes a currency issuance certificate issuance acceptance unit 301, an intermediate certificate issuance acceptance unit 302, a withdrawal request unit 305, a payment request unit 306, a payment acceptance unit 307, an exchange/deposit request unit 308, a credit request unit 309, a currency issuance certificate storage unit 310, an intermediate certificate storage unit 311, and a user currency storage unit 314.

 なお、セキュア処理部330内に含める機能部と、セキュア処理部330の外側に置く機能部とは、上記の例に限定されない。例えば、前述したように、秘密鍵を使用した署名の処理をセキュア処理部330の鍵生成部320が行ってもよい。また、例えば、図10に示す全ての構成がセキュア処理部330に含まれていてもよい。つまり、図11の通貨流通部340が、セキュア処理部330に含まれていてもよい。 Note that the functional units included within the secure processing unit 330 and the functional units located outside the secure processing unit 330 are not limited to the above examples. For example, as described above, the key generation unit 320 of the secure processing unit 330 may perform the signature process using a private key. Also, for example, all of the configuration shown in FIG. 10 may be included in the secure processing unit 330. In other words, the currency circulation unit 340 in FIG. 11 may be included in the secure processing unit 330.

 (第1実施形態に係る電子通貨システムの動作)
 次に、第1実施形態に係る電子通貨システム1の動作について説明する。以下、発行銀行をB、各金融機関をB(B,B,・・・)、ルート認証局をA、各中間証明局をA(A,A,・・・)、各利用者をU(U,U,・・・)、という記号で概念を示しながら説明する。 (Operation of the Electronic Currency System According to the First Embodiment)
Next, the operation of the electronic currency system 1 according to the first embodiment will be described. Below, the concept will be explained using symbols such as B0 for the issuing bank, Bi for each financial institution ( B0 , B1 , ...), A0 for the root certificate authority, Ai for each intermediate certificate authority ( A0 , A1 , ...), and Uj for each user ( U0 , U1 , ...).

 図12は、通貨発行処理の流れの一例を示すシーケンス図である。通貨発行処理は、定期的に、または担当者の操作等を受けて開始される。 FIG. 12 is a sequence diagram showing an example of the flow of the currency issuance process. The currency issuance process is started periodically or in response to an operation by a person in charge.

 発行銀行サーバ10の通貨発行鍵生成部101は、通貨発行鍵を生成する(ステップS101)。具体的には、通貨発行鍵生成部101は、発行年yと発行額vに対応する通貨発行鍵のペア(秘密鍵skB0vyおよび公開鍵pkB0vy)を生成する。 The currency issuance key generation unit 101 of the issuing bank server 10 generates a currency issuance key (step S101). Specifically, the currency issuance key generation unit 101 generates a currency issuance key pair (private key skB 0vy and public key pkB 0vy ) corresponding to an issuance year y and an issuance amount v.

 そして、通貨発行証明書発行部102は、公開鍵pkB0vyを証明する通貨発行証明書CERT(pkB0vy)を各金融機関サーバ20に送信し(ステップS102)、各利用者端末30に送信する(ステップS103)。各金融機関サーバ20の通貨発行証明書発行受付部201は、通貨発行証明書CERT(pkB0vy)を受信して、通貨発行証明書記憶部212に記憶させる。また、各利用者端末30の通貨発行証明書発行受付部301は、通貨発行証明書CERT(pkB0vy)を受信して、通貨発行証明書記憶部310に記憶させる。 Then, the currency issuance certificate issuing unit 102 transmits the currency issuance certificate CERT (pkB 0vy ) certifying the public key pkB 0vy to each financial institution server 20 (step S102), and transmits it to each user terminal 30 (step S103). The currency issuance certificate issuance acceptance unit 201 of each financial institution server 20 receives the currency issuance certificate CERT (pkB 0vy ) and stores it in the currency issuance certificate storage unit 212. Also, the currency issuance certificate issuance acceptance unit 301 of each user terminal 30 receives the currency issuance certificate CERT (pkB 0vy ) and stores it in the currency issuance certificate storage unit 310.

 発行額vは、最小単位(例えば、1円)の倍数である。例えば、2021年に10000円の通貨を発行する場合、通貨発行証明書発行部102は、通貨発行証明書CERT(pkB0(10000円)(2021年))を各金融機関サーバ20および各利用者端末30に送信する。 The issuance amount v is a multiple of the smallest unit (e.g., 1 yen). For example, when issuing currency of 10,000 yen in the year 2021, the currency issuance certificate issuing unit 102 transmits the currency issuance certificate CERT(pkB 0(10,000 yen)(2021) ) to each financial institution server 20 and each user terminal 30.

 なお、通貨発行証明書発行部102は、通貨発行証明書CERT(pkB0vy)を直接に各金融機関サーバ20および各利用者端末30に送信しなくても良く、例えば、通信ネットワークで公開されているサーバ装置等にアップロードし、各金融機関サーバ20および各利用者端末30にダウンロードさせるようにしても良い。 It should be noted that the currency issuance certificate issuing unit 102 does not have to transmit the currency issuance certificate CERT(pkB 0vy ) directly to each financial institution server 20 and each user terminal 30. For example, it may upload the currency issuance certificate CERT(pkB 0vy) to a server device or the like that is publicly available on a communication network, and then have it downloaded to each financial institution server 20 and each user terminal 30.

 次に、ルート認証局サーバ11のルート認証鍵生成部111は、ルート認証鍵を生成する(ステップS104)。ルート認証鍵は、秘密鍵skAおよび公開鍵pkAを含む。続いて、ルート証明書発行部112は、秘密鍵skAで署名してルート証明書Auth(pkA)を生成し、各金融機関サーバ20に送信する(ステップS105)。 Next, the root certification key generation unit 111 of the root certification authority server 11 generates a root certification key (step S104). The root certification key includes a private key skA 0 and a public key pkA 0. Next, the root certificate issuance unit 112 generates a root certificate Auth(pkA 0 ) by signing with the private key skA 0 and transmits it to each financial institution server 20 (step S105).

 なお、ルート証明書発行部112は、直接にルート証明書Auth(pkA)を各金融機関サーバ20に送信しなくても良く、例えば、通信ネットワークで公開されているサーバ装置等にアップロードし、各金融機関サーバ20にダウンロードさせるようにしても良い。 In addition, the root certificate issuing unit 112 does not have to directly send the root certificate Auth(pkA 0 ) to each financial institution server 20. For example, it may upload it to a server device or the like that is publicly available on a communication network, and then have it downloaded to each financial institution server 20.

 続いて、中間認証局サーバ25の中間認証鍵生成部251は、中間認証鍵を生成する(ステップS106)。中間認証鍵は、秘密鍵skAおよび公開鍵pkAを含む。 Next, the intermediate authentication key generating unit 251 of the intermediate authentication authority server 25 generates an intermediate authentication key (step S106). The intermediate authentication key includes a secret key skA i and a public key pkA i .

 次に、中間証明書発行部252は、秘密鍵skAで署名し、ルート証明書Auth(pkA)を使用して中間証明書Auth(pkA,pkA)を生成する。以下、中間証明書Auth(pkA,pkA)はAuth(pkA)と表記する。そして、中間証明書発行部252は、生成した中間証明書Auth(pkA)を各利用者端末30に送信する(ステップS107)。各利用者端末30の中間証明書発行受付部302は、中間証明書Auth(pkA)を受信して、中間証明書記憶部311に記憶させる。 Next, the intermediate certificate issuance unit 252 signs with the private key skA i and generates an intermediate certificate Auth(pkA i , pkA 0 ) using the root certificate Auth(pkA 0 ). Hereinafter, the intermediate certificate Auth(pkA i , pkA 0 ) is written as Auth(pkA i ). Then, the intermediate certificate issuance unit 252 transmits the generated intermediate certificate Auth(pkA i ) to each user terminal 30 (step S107). The intermediate certificate issuance acceptance unit 302 of each user terminal 30 receives the intermediate certificate Auth(pkA i ) and stores it in the intermediate certificate storage unit 311.

 なお、中間証明書発行部252は、直接に中間証明書Auth(pkA)を各利用者端末30に送信しなくても良く、例えば、通信ネットワークで公開されているサーバ装置等にアップロードし、各利用者端末30にダウンロードさせるようにしても良い。 In addition, the intermediate certificate issuance unit 252 does not have to directly transmit the intermediate certificate Auth(pkA i ) to each user terminal 30. For example, it may upload the intermediate certificate Auth(pkA i ) to a server device or the like that is publicly available on a communication network, and then have the intermediate certificate Auth(pkA i ) downloaded to each user terminal 30.

 続いて、利用者端末30の利用者鍵生成部303は、利用者鍵を生成する(ステップS108)。利用者鍵は、秘密鍵skUおよび公開鍵pkUを含む。次に、利用者認証要求部304は、公開鍵pkUを送信して、利用者認証を中間認証局サーバ25に要求する(ステップS109)。 Next, the user key generation unit 303 of the user terminal 30 generates a user key (step S108). The user key includes a secret key skUj and a public key pkUj . Next, the user authentication request unit 304 transmits the public key pkUj to request user authentication from the intermediate certification authority server 25 (step S109).

 中間認証局サーバ25の利用者認証部253は、ルート証明書Auth(pkA)および中間証明書Auth(pkA)を用いて、利用者公開鍵証明書Auth(pkU,pkA,pkA)を生成する(ステップS110)。以下、利用者公開鍵証明書Auth(pkU,pkA,pkA)はAuth(pkU)と表記する。利用者認証部253は、生成した利用者公開鍵証明書Auth(pkU)を利用者端末30に送信する(ステップS111)。利用者端末30は、秘密鍵skUおよび公開鍵pkUおよび利用者公開鍵証明書Auth(pkU)を保持する。 The user authentication unit 253 of the intermediate certification authority server 25 generates a user public key certificate Auth(pkUj, pkAi , pkA0 ) using the root certificate Auth( pkA0 ) and the intermediate certificate Auth( pkAi ) (step S110 ) . Hereinafter, the user public key certificate Auth( pkUj , pkAi , pkA0 ) will be written as Auth(pkUj ) . The user authentication unit 253 transmits the generated user public key certificate Auth( pkUj ) to the user terminal 30 (step S111). The user terminal 30 holds the private key skUj , the public key pkUj , and the user public key certificate Auth( pkUj ).

 さらに、利用者認証部253は、利用者公開鍵証明書発行情報(U,pkU,Auth(pkU))を生成し、利用者公開鍵証明書発行情報記憶部255に記憶させる。利用者公開鍵証明書発行情報(U,pkU,Auth(pkU))は、利用者の個人情報Uを含んでいる。 Furthermore, the user authentication unit 253 generates user public key certificate issuance information ( Uj , pkUj , Auth( pkUj )) and stores it in the user public key certificate issuance information storage unit 255. The user public key certificate issuance information ( Uj , pkUj , Auth( pkUj )) includes personal information Uj of the user.

 次に、金融機関サーバ20の金融機関鍵生成部202は、金融機関鍵を生成する(ステップS112)。金融機関鍵は、秘密鍵skBおよび公開鍵pkBを含む。次に、金融機関認証要求部203は、公開鍵pkBを送信して、金融機関認証をルート認証局サーバ11に要求する(ステップS113)。 Next, the financial institution key generation unit 202 of the financial institution server 20 generates a financial institution key (step S112). The financial institution key includes a private key skBi and a public key pBi . Next, the financial institution authentication request unit 203 transmits the public key pBi to request financial institution authentication from the root certification authority server 11 (step S113).

 ルート認証局サーバ11の金融機関認証部113は、ルート証明書Auth(pkA)を用いて、金融機関公開鍵証明書Auth(pkB,pkA)を生成する(ステップS114)。以下、金融機関公開鍵証明書Auth(pkB,pkA)はAuth(pkB)と表記する。金融機関認証部113は、生成した金融機関公開鍵証明書Auth(pkB)を金融機関サーバ20に送信する(ステップS115)。金融機関サーバ20は、秘密鍵skBおよび公開鍵pkBおよび金融機関公開鍵証明書Auth(pkB)を保持する。 The financial institution authentication unit 113 of the root certification authority server 11 generates a financial institution public key certificate Auth(pkB i , pkA 0 ) using the root certificate Auth(pkA 0 ) (step S114). Hereinafter, the financial institution public key certificate Auth(pkB i , pkA 0 ) will be referred to as Auth(pkB i ). The financial institution authentication unit 113 transmits the generated financial institution public key certificate Auth(pkB i ) to the financial institution server 20 (step S115). The financial institution server 20 holds the private key skB i , the public key pkB i and the financial institution public key certificate Auth(pkB i ).

 さらに、金融機関認証部113は、金融機関公開鍵証明書発行情報(B,pkB,Auth(pkB))を生成し、金融機関公開鍵証明書発行情報記憶部116に記憶させる。なお、金融機関公開鍵証明書発行情報(B,pkB,Auth(pkB))は、金融機関についての機関情報Bを含んでいる。そして、金融機関公開鍵証明書発行情報送信部114は、金融機関公開鍵証明書発行情報(B,pkB,Auth(pkB))を発行銀行サーバ10に送信する(ステップS116)。 Furthermore, the financial institution authentication unit 113 generates financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) and stores it in the financial institution public key certificate issuance information storage unit 116. The financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) includes institution information B i about the financial institution. Then, the financial institution public key certificate issuance information transmission unit 114 transmits the financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) to the issuing bank server 10 (step S116).

 発行銀行サーバ10の金融機関公開鍵証明書発行情報取得部103は、金融機関公開鍵証明書発行情報(B,pkB,Auth(pkB))を取得して、金融機関公開鍵証明書発行情報記憶部116に記憶させる。 The financial institution public key certificate issuance information acquisition unit 103 of the issuing bank server 10 acquires the financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) and stores it in the financial institution public key certificate issuance information storage unit 116 .

 なお、ステップS108からステップS111までの処理と、ステップS112からステップS116までの処理の順序は一例であって、逆でも良い。ステップS108からステップS111までの処理は、各利用者端末30によってそれぞれ個別に実行される。またステップS112からステップS116までの処理は、各金融機関サーバ20によってそれぞれ個別に実行される。 Note that the order of the processes from step S108 to step S111 and the processes from step S112 to step S116 is just an example, and may be reversed. The processes from step S108 to step S111 are executed individually by each user terminal 30. The processes from step S112 to step S116 are executed individually by each financial institution server 20.

 また、利用者端末30は、利用者鍵を追加するため、ステップS108からステップS111までの処理を複数回実行しても良い。また、前述したとおり、利用者端末30は、予め定めた期間(又は回数)が満了した場合における公開鍵及び秘密鍵の更新時に、ステップS108からステップS111までの処理を実行する。 The user terminal 30 may also execute the process from step S108 to step S111 multiple times to add a user key. As described above, the user terminal 30 executes the process from step S108 to step S111 when updating the public key and private key when a predetermined period (or number of times) has expired.

 次に、発行銀行サーバ10の通貨発行部104は、金融機関公開鍵証明書発行情報記憶部116に記憶された金融機関公開鍵証明書発行情報(B,pkB,Auth(pkB))を使用し、発行額vに基づく通貨IDであるid、発行年y、金融機関Bを指定した通貨発行メッセージ(id,y,B,pkB)を生成する(ステップS117)。なお、通貨IDの構造にいついては図4において説明した通りであるが、その生成方法については後述される。ここで、通貨発行部104は、通貨発行鍵記憶部106に記憶された通貨発行鍵の秘密鍵skB0vyを使用して(id,y,B,pkB)に署名する。通貨発行部104は、署名Sが付加された通貨発行メッセージ(id,y,B,pkB)を、金融機関サーバ20に送信する(ステップS118)。なお、後述より明らかなように、通貨発行メッセージは、発行対象の通貨の生成に利用される。したがって、通貨発行メッセージの生成は、実質的に、通貨の発行に相当する。 Next, the currency issuing unit 104 of the issuing bank server 10 uses the financial institution public key certificate issuance information (B i , pkB i , Auth(pkB i )) stored in the financial institution public key certificate issuance information storage unit 116 to generate a currency issuance message (id 0 , y, B i , pkB i ) that specifies the currency ID id 0 based on the issuance amount v, the issuance year y, and the financial institution B i (step S117). Note that the structure of the currency ID is as described in FIG. 4, and the method of generating it will be described later. Here, the currency issuing unit 104 signs (id 0 , y, B i , pkB i ) using the private key skB 0vy of the currency issuance key stored in the currency issuance key storage unit 106. The currency issuing unit 104 transmits the currency issuance message (id 0 , y, B i , pkB i ) with the signature S 0 attached to the financial institution server 20 (step S118). As will be apparent from the following description, the currency issuance message is used to generate the currency to be issued. Therefore, the generation of the currency issuance message essentially corresponds to the issuance of the currency.

 金融機関サーバ20の通貨発行受付部204は、署名Sが付加された通貨発行メッセージ(id,y,B,pkB)を受信して、通貨発行証明書記憶部212に記憶された通貨発行証明書CERT(pkB0vy)に含まれる公開鍵pkB0vyを使用して署名Sを検証する。そして、通貨発行受付部204は、通貨T:=(id,y,B,pkB,S)を生成して未使用通貨記憶部215に記憶させる。 The currency issuance acceptance unit 204 of the financial institution server 20 receives the currency issuance message (id 0 , y, B i , pkB i ) with the signature S 0 added, and verifies the signature S 0 using the public key pkB 0vy included in the currency issuance certificate CERT (pkB 0vy ) stored in the currency issuance certificate memory unit 212. Then, the currency issuance acceptance unit 204 generates currency T 0 := (id 0 , y, B i , pkB i , S 0 ) and stores it in the unused currency memory unit 215.

 ステップS117の通貨発行メッセージの生成における通貨IDの生成について説明する。 The following describes how the currency ID is generated when generating the currency issuance message in step S117.

 図13は、通貨発行時における通貨IDの生成処理の処理手順の一例を説明するためのフローチャートである。 FIG. 13 is a flowchart illustrating an example of the processing steps for generating a currency ID when issuing currency.

 ステップS121において、通貨発行部104は、発行額vに対応する数以上の葉ノードを含む最小のNNL木の深さを計算する。当該深さの計算は、実質的に、当該NNL木の構造の生成に相当する。発行額vに対応する数以上の葉ノードとは、発行額vを表現可能な数の葉ノードをいい、発行額vを最小単位(例えば、1円)で除した値以上の数の葉ノードをいう。最小単位が1円であり、v=8円であれば、8個の葉ノードが必要となる。NNL木を2分木とした場合、8個の葉ノードを含みうる2分木の深さは3以上である。したがって、3以上の中で最小の値である3が当該NNL木の深さとなる。 In step S121, the currency issuing unit 104 calculates the depth of the smallest NNL tree that contains leaf nodes equal to or greater than the issuance amount v. The calculation of the depth essentially corresponds to the generation of the structure of the NNL tree. A leaf node equal to or greater than the issuance amount v means a number of leaf nodes that can express the issuance amount v, and refers to a number of leaf nodes equal to or greater than the value obtained by dividing the issuance amount v by the smallest unit (e.g., 1 yen). If the smallest unit is 1 yen and v = 8 yen, then 8 leaf nodes are required. If the NNL tree is a binary tree, the depth of a binary tree that can contain 8 leaf nodes is 3 or greater. Therefore, 3, the smallest value among 3 or greater, becomes the depth of the NNL tree.

 続いて、通貨発行部104は、当該NNL木のSeedとなる乱数を生成する(S122)。 Next, the currency issuing unit 104 generates a random number that will become the seed of the NNL tree (S122).

 続いて、通貨発行部104は、当該NNL木の葉ノードのうち、発行額vに対応させる葉ノードの開始点及び終了点を決定する(S123)。開始点及び終了点のいずれか一方が、当該NNL木の端の葉ノードであり、開始点から終了点までの連続する葉ノードの集合が発行額vに一致するように、開始点及び終了点が決定される。なお、開始点及び終了点の値は、NNL木の葉ノードにおける順番を示す値によって表現されればよい。すなわち、NNL木において開始点及び終了点に対応する乱数は計算されなくてよい。 Then, the currency issuing unit 104 determines the start point and end point of the leaf node of the NNL tree that corresponds to the issuance amount v (S123). One of the start point and end point is a leaf node at the end of the NNL tree, and the start point and end point are determined so that the set of consecutive leaf nodes from the start point to the end point matches the issuance amount v. The values of the start point and end point may be expressed by values that indicate the order in the leaf nodes of the NNL tree. In other words, random numbers corresponding to the start point and end point in the NNL tree do not need to be calculated.

 続いて、通貨発行部104は、{Seed,深さ,開始点,終了点}のセットを通貨IDとして生成する(S124)。 Next, the currency issuing unit 104 generates a set of {Seed, depth, start point, end point} as a currency ID (S124).

 図14は、引出処理の流れの一例を示すシーケンス図である。引出処理は、利用者Uの引出を指示する操作に応じて開始される。 14 is a sequence diagram showing an example of the flow of a withdrawal process, which is started in response to an operation of a user Uj instructing a withdrawal.

 利用者端末30の引出要求部305は、引出の額面vを示す額面情報と、利用者鍵記憶部312に記憶された利用者鍵の公開鍵pkUと、を送信して、金融機関サーバ20に引出を要求する(ステップS201)。 The withdrawal request unit 305 of the user terminal 30 transmits denomination information indicating the denomination v of the withdrawal and the public key pkU j of the user key stored in the user key storage unit 312 to request a withdrawal from the financial institution server 20 (step S201).

 金融機関サーバ20の引出受付部205は、引出を受け付ける(ステップS202)。具体的には、引出受付部205は、未使用通貨記憶部215から額面v分の未使用通貨Tを取得して、通貨付加情報T:=(id,pkU,S)を付加した使用中通貨(T,T)として、使用中通貨記憶部216に記憶させる。Sは、金融機関鍵の秘密鍵skBを用いた(id,pkU,T)に対する署名である。また、idは使用中通貨(T,T)の額面に基づく、移転対象の通貨の通貨IDである。通貨Tが額面vに一致する場合には、idの値は、通貨Tの通貨IDであるidと同じでよい。また、複数の通貨Tのセットが額面vに一致する場合には、引出受付部205は、これらの通貨Tごとに通貨(T,T)を生成すればよい。この場合、各Tのidの値は、対応するidと同じでよい。 The withdrawal acceptance unit 205 of the financial institution server 20 accepts the withdrawal (step S202). Specifically, the withdrawal acceptance unit 205 acquires unused currency T0 of face value v from the unused currency storage unit 215, and stores it in the currency storage unit 216 as the currency in use ( T1 , T0 ) to which currency additional information T1 :=( id1 , pkUj , S1 ) is added. S1 is a signature for ( id1 , pkUj , T0 ) using the private key skBi of the financial institution key. In addition, id1 is the currency ID of the currency to be transferred based on the face value of the currency in use ( T1 , T0 ). When the currency T0 matches the face value v, the value of id1 may be the same as id0 , which is the currency ID of the currency T0 . Also, when a set of multiple currencies T0 matches the face value v, the withdrawal acceptance unit 205 may generate a currency ( T1 , T0 ) for each of these currencies T0 . In this case, the value of id1 of each T1 may be the same as the corresponding id1 .

 一方、通貨Tが額面vを超える場合、又は複数の通貨Tのセットでは額面vを超える場合、引出受付部205は、通貨Tの一部を分割して通貨(T,T)を生成する。例えば、額面vが1000円であり通貨Tが5000円である場合、引出受付部205は、通貨Tから1000円分を分割して1000円としての通貨(T,T)を生成する。また、例えば、額面vが7000円であり、各通貨Tが5000円である場合、引出受付部205は、2枚の通貨Tのうちの一方から2000円分を分割して2000円としての通貨(T,T)を生成する。通貨Tの分割は、通貨Tが含むidとしてのNNL木の分割によって実現される。NNL木は通貨の金額をも表現するからである。このような通貨の分割処理については後述される。 On the other hand, when the currency T0 exceeds the face value v, or when the set of multiple currencies T0 exceeds the face value v, the withdrawal acceptance unit 205 divides a part of the currency T0 to generate a currency ( T1 , T0 ). For example, when the face value v is 1000 yen and the currency T0 is 5000 yen, the withdrawal acceptance unit 205 divides 1000 yen from the currency T0 to generate a currency ( T1 , T0 ) of 1000 yen. Also, for example, when the face value v is 7000 yen and each currency T0 is 5000 yen, the withdrawal acceptance unit 205 divides 2000 yen from one of the two currencies T0 to generate a currency ( T1 , T0 ) of 2000 yen. The division of the currency T0 is realized by dividing the NNL tree as the id0 included in the currency T0 . This is because the NNL tree also expresses the amount of the currency. The process of dividing such currency is described below.

 このように、通貨が引出や支払等によって移転するたびに、当該通貨には移転元によって署名された通貨付加情報が累積的に付与される。したがって、通貨付加情報は、通貨の移転の履歴を示す情報であるともいえる。 In this way, each time currency is transferred by withdrawal, payment, etc., currency additional information signed by the transfer source is cumulatively added to the currency. Therefore, currency additional information can be said to be information that indicates the history of currency transfers.

 続いて、引出受付部205は、使用中通貨(T,T)の通貨データと、金融機関公開鍵証明書Auth(pkB)とを利用者端末30に送信する(ステップS203)。利用者端末30の引出要求部305は、使用中通貨(T,T)の通貨データと、金融機関公開鍵証明書Auth(pkB)とを検証し、使用中通貨(T,T)を利用者通貨記憶部314に記憶させる。(T,T)を未使用通貨と呼んでもよい。 Next, the withdrawal acceptance unit 205 transmits the currency data of the currency in use (T 1 , T 0 ) and the financial institution public key certificate Auth(pkB i ) to the user terminal 30 (step S203). The withdrawal request unit 305 of the user terminal 30 verifies the currency data of the currency in use (T 1 , T 0 ) and the financial institution public key certificate Auth(pkB i ), and stores the currency in use (T 1 , T 0 ) in the user currency storage unit 314. (T 1 , T 0 ) may be called unused currency.

 なお、ステップS202において、引出受付部205は、必要に応じて、未使用通貨記憶部215に記憶された未使用通貨ではなく使用済通貨記憶部218に記憶された使用済通貨を使用しても良い。この場合、更新処理部206が、使用済通貨を更新し、通貨付加情報が削除された通貨に更新する。引出受付部205は、使用済通貨を使用するか否かを、あらかじめ定められた条件にしたがって決定する。例えば、引出受付部205は、使用済通貨が閾値以上のデータ量になった場合に、使用済通貨を使用するようにしても良い。 In step S202, the withdrawal acceptance unit 205 may use the used currency stored in the used currency storage unit 218 instead of the unused currency stored in the unused currency storage unit 215, as necessary. In this case, the update processing unit 206 updates the used currency to a currency from which the currency additional information has been deleted. The withdrawal acceptance unit 205 decides whether to use the used currency in accordance with predetermined conditions. For example, the withdrawal acceptance unit 205 may use the used currency when the data volume of the used currency reaches or exceeds a threshold value.

 例えば、引出受付部205が使用済通貨(T,・・・,T)を引出に対して利用する場合、更新処理部206は、更新前の状態の通貨(T,・・・,T)を更新済通貨記憶部217に記憶させる。そして、更新処理部206は、使用済通貨(T,・・・,T)を、通貨付加情報(T,・・・,T)が削除された通貨Tに更新する。そして、引出受付部205は、更新された通貨Tに通貨付加情報Tn+1:=(idn+1,pkU,Sn+1)を付加した使用中通貨(Tn+1,T)を、使用中通貨記憶部216に記憶させる。この際、idn+1の値(内容)は、Tに含まれている通貨IDと同じでよい。 For example, when the withdrawal acceptance unit 205 uses used currency (T n , ..., T 0 ) for withdrawal, the update processing unit 206 stores the currency (T n , ..., T 0 ) in the state before the update in the updated currency storage unit 217. Then, the update processing unit 206 updates the used currency (T n , ..., T 0 ) to currency T 0 from which the currency additional information (T n , ..., T 1 ) has been deleted. Then, the withdrawal acceptance unit 205 stores the currency in use (T n+1 , T 0 ) obtained by adding currency additional information T n+1 := (id n +1 , pkU j , S n+1 ) to the updated currency T 0 in the currency in use storage unit 216. At this time, the value (contents) of id n+1 may be the same as the currency ID included in T n .

 続いて、引出受付部205は、使用中通貨(Tn+1,T)の通貨データと、金融機関公開鍵証明書Auth(pkB)とを利用者端末30に送信する(ステップS203)。利用者端末30の引出要求部305は、使用中通貨(Tn+1,T)の通貨データと、金融機関公開鍵証明書Auth(pkB)とを検証し、使用中通貨(Tn+1,T)を利用者通貨記憶部314に記憶させる。 Next, the withdrawal acceptance unit 205 transmits the currency data of the currency in use (T n+1 , T 0 ) and the financial institution public key certificate Auth(pkB i ) to the user terminal 30 (step S203). The withdrawal request unit 305 of the user terminal 30 verifies the currency data of the currency in use (T n+1 , T 0 ) and the financial institution public key certificate Auth(pkB i ), and stores the currency in use (T n+1 , T 0 ) in the user currency storage unit 314.

 また、更新処理部206は、すでに1回以上更新された通貨を再度更新しても良い。この場合、更新処理部206は、以前の更新前の状態の通貨(T,・・・T,T)に、今回の更新前の状態の通貨(Tn+k,・・・,Tn+1,T)を結合した通貨(Tn+k,・・・,T,T)を更新済通貨記憶部217に記憶させる。 The update processing unit 206 may also update a currency that has already been updated one or more times. In this case, the update processing unit 206 stores in the updated currency storage unit 217 a currency (Tn+ k , ..., T1 , T0 ) that is obtained by combining a currency (Tn , ..., T1 , T0 ) in a state before the previous update with a currency (Tn +k , ..., Tn +1 , T0 ) in a state before the current update.

 ステップS202において、通貨の分割が必要な場合に実行される通貨の分割処理の詳細について説明する。図15は、通貨の分割処理の処理手順の一例を説明するためのフローチャートである。 The details of the currency split process that is executed in step S202 when currency splitting is necessary will be described. Figure 15 is a flowchart for explaining an example of the processing procedure for currency splitting.

 ステップS211において、引出受付部205は、引出の額面vに対応する数以上の葉ノードを含む最小のNNL木(以下、「分割先のNNL木」という。)の深さを計算する。斯かる深さの計算方法は、図13のステップS121と同様である。 In step S211, the withdrawal reception unit 205 calculates the depth of the smallest NNL tree (hereinafter referred to as the "destination NNL tree") that contains at least the number of leaf nodes corresponding to the denomination v of the withdrawal. The method of calculating the depth is the same as in step S121 of FIG. 13.

 続いて、引出受付部205は、分割対象の通貨の通貨IDとしてのNNL木(以下、「分割元のNNL木」という。)のノードの中から、分割先のNNL木のルートノードとするノードを決定する(S212)。ここで、分割先のNNL木は、分割元のNNL木の部分木である。分割先のNNL木の深さが計算されているため、分割先のNNL木のルートノードが分割元のNNL木のどの階層のノードであるかが特定できる。引出受付部205は、当該階層に属するノードのうち、端に位置する(分割元のNNL木の開始点の祖先である)ノードを分割先のNNL木のルートノードとして決定する。例えば、図4において説明した分割が行われるのであれば、図4のノードN2が分割先のNNL木のルートノードとして決定される。 Then, the withdrawal reception unit 205 determines a node to be the root node of the destination NNL tree from among the nodes of the NNL tree (hereinafter referred to as the "original NNL tree") as the currency ID of the currency to be split (S212). Here, the destination NNL tree is a subtree of the original NNL tree. Since the depth of the destination NNL tree has been calculated, it is possible to identify which layer of the original NNL tree the root node of the destination NNL tree is. The withdrawal reception unit 205 determines the node located at the end (the ancestor of the starting point of the original NNL tree) among the nodes belonging to that layer as the root node of the destination NNL tree. For example, if the split described in FIG. 4 is performed, node N2 in FIG. 4 is determined as the root node of the destination NNL tree.

 続いて、引出受付部205は、当該ルートノードに対応する乱数(すなわち、分割先のNNL木のSeed)を、分割元のNNL木のSeedに基づいて計算する(S213)。具体的には、図3において説明したように、分割元のNNL木のSeedに対して疑似乱数生成器Gを再帰的に適用することで、分割先のNNL木のSeedを算出することができる。 Then, the withdrawal reception unit 205 calculates a random number corresponding to the root node (i.e., the seed of the NNL tree to be split) based on the seed of the original NNL tree (S213). Specifically, as described in FIG. 3, the seed of the NNL tree to be split can be calculated by recursively applying the pseudorandom number generator G to the seed of the original NNL tree.

 続いて、引出受付部205は、分割先のNNL木の葉ノードのうち、額面vに対応させる葉ノードの開始点及び終了点を決定する(S214)斯かる葉ノードの決定方法は、図13のステップS123において説明した方法と同様でよい。 Next, the withdrawal reception unit 205 determines the start and end points of the leaf nodes of the NNL tree to be split that correspond to the face value v (S214). The method of determining such leaf nodes may be the same as the method described in step S123 of FIG. 13.

 続いて、引出受付部205は、{分割先のNNL木のSeed,分割先のNNL木の深さ,開始点,終了点}のセットを分割先の通貨の通貨ID(つまり、ステップS202における通貨付加情報T:=(id,pkU,S)のidとして生成する(S215)。 Next, the withdrawal acceptance unit 205 generates a set of {Seed of the NNL tree to be divided, depth of the NNL tree to be divided, start point, end point} as the currency ID of the currency to be divided (i.e., id 1 of the currency additional information T 1 := (id 1 , pkU j , S 1 ) in step S202) (S215).

 続いて、引出受付部205は、分割元の通貨(S202におけるT)を残高(額面vを差し引いた額)に対応させるため、分割元のNNL木において、分割先の通貨の終了点となった次の葉ノードを特定する(S215)。 Next, the withdrawal acceptance unit 205 identifies the next leaf node in the original NNL tree that is the end point of the destination currency in order to match the original currency (T 0 in S202) with the balance (amount minus the face value v) (S215).

 続いて、引出受付部205は、{分割元のNNL木のSeed,分割元のNNL木の深さ,当該次の葉ノード,分割元のNNL木の終了点}を仮通貨IDとして、分割元の通貨に関連付けておく(S217)。当該仮通貨IDは、残高分の分割元の通貨が引出、支払等により移転する際に、通貨付加情報の通貨IDとして利用される。 Then, the withdrawal reception unit 205 associates {Seed of the original NNL tree, depth of the original NNL tree, the next leaf node, and end point of the original NNL tree} with the original currency as a temporary currency ID (S217). This temporary currency ID is used as the currency ID of the currency addition information when the remaining amount of the original currency is transferred by withdrawal, payment, etc.

 図16は、第1実施形態に係る支払処理(送金者から着金者への送信処理)の流れの一例を示すシーケンス図である。支払処理は、送金側の利用者Uによる着金側の利用者Uへの支払を指示する操作に応じて開始される。 16 is a sequence diagram showing an example of the flow of payment processing (transmission processing from a remitter to a recipient) according to the first embodiment. The payment processing is started in response to an operation by a remitter user Uj to instruct a payment to a recipient user Uk .

 利用者端末30-1は、送金側の利用者Uが操作する利用者端末30である。利用者端末30-2は、着金側の利用者Uが操作する利用者端末30である。利用者端末30-1の支払要求部306は、支払い額v以上の通貨(Tn-1,・・・,T)から通貨付加情報を除く通貨データである通貨Tと、Tn-1=(idn-1,pkU,Sn-1)と、利用者公開鍵証明書Auth(pkU)とを送信して、支払を利用者端末30-2に要求する(ステップS301)。なお、通貨Tは、通貨(Tn-1,・・・,T)の現在の額面を示すものではない。通貨(Tn-1,・・・,T)の現在の額面は、Tn-1のidn-1としてのNNL木の開始点及び終了点から導出可能である。 The user terminal 30-1 is the user terminal 30 operated by the remittance user Uj . The user terminal 30-2 is the user terminal 30 operated by the remittance user Uk . The payment request unit 306 of the user terminal 30-1 transmits the currency T0, which is the currency data excluding the currency additional information from the currencies (Tn -1 , ..., T0 ) whose payment amount is equal to or greater than v, Tn -1 = (idn -1 , pkUj , Sn -1 ), and the user public key certificate Auth( pkUj ) to request payment from the user terminal 30-2 (step S301). Note that the currency T0 does not indicate the current face value of the currencies (Tn -1 , ..., T0 ). The current denomination of a currency (T n-1 , . . . , T 0 ) can be derived from the start and end points of the NNL tree as id n-1 of T n-1 .

 利用者端末30-2の支払受付部307は、支払を受け付ける(ステップS302)。具体的には、支払受付部307は、通貨Tと、Tn-1=(idn-1,pkU,Sn-1)のSn-1と、利用者公開鍵証明書Auth(pkU)とを検証する。ここで、支払受付部307は、通貨の検証においては、通貨に含まれる署名データを検証する。例えば、支払受付部307は、通貨T:=(id,y,B,pkB,S)の署名Sを検証する。また、支払受付部307は、Tn-1=(idn-1,pkU,Sn-1)のSn-1をpkUを用いて検証する。 The payment acceptance unit 307 of the user terminal 30-2 accepts the payment (step S302). Specifically, the payment acceptance unit 307 verifies the currency T 0 , S n-1 of T n-1 = (id n-1 , pkU j , S n- 1 ), and the user public key certificate Auth(pkU j ). Here, in verifying the currency, the payment acceptance unit 307 verifies the signature data included in the currency. For example, the payment acceptance unit 307 verifies the signature S 0 of the currency T 0 := (id 0 , y, B i , pkB i , S 0 ). In addition, the payment acceptance unit 307 verifies S n -1 of T n-1 = (id n-1 , pkU j , S n-1 ) using pkU j .

 次に、支払受付部307は、利用者端末30-2の利用者鍵記憶部312に記憶された利用者鍵の公開鍵pkUを利用者端末30-1に送信する(ステップS303)。利用者端末30-1の支払要求部306は、通貨IDとしてのidを生成し、idと、受信した公開鍵pkUと、通貨データ(例えばTn-1、あるいは、Tn-1のハッシュ値)を含む情報に、利用者端末30-1の利用者鍵記憶部312に記憶された利用者鍵の秘密鍵skUを使用して署名(S)を計算し、通貨付加情報T:=(id,pkU,S)を生成する(ステップS304)。通貨付加情報を通貨データと呼んでもよい。ここで、idは、これから生成される通貨(T,・・・,T)の額面に基づく通貨IDである。通貨(Tn-1,・・・,T)が支払い額vに一致する場合には、idの値は、通貨(Tn-1,・・・,T)のTn-1の通貨IDであるidn-1と同じでよい。また、複数の通貨(Tn-1,・・・,T)のセットが支払い額vに一致する場合には、支払要求部306は、これらの通貨(Tn-1,・・・,T)ごとに通貨付加情報T:=(id,pkU,S)を生成すればよい。この場合、各Tnのidの値は、対応するidn-1と同じでよく、後述される通貨(T,・・・,T)は、通貨(Tn-1,・・・,T)ごとに生成される。 Next, the payment acceptance unit 307 transmits the public key pkU k of the user key stored in the user key storage unit 312 of the user terminal 30-2 to the user terminal 30-1 (step S303). The payment request unit 306 of the user terminal 30-1 generates id n as a currency ID, calculates a signature (S n ) using the private key skU j of the user key stored in the user key storage unit 312 of the user terminal 30-1 for information including id n, the received public key pkU k , and currency data (for example, T n -1 or the hash value of T n -1 ), and generates currency additional information T n := (id n , pkU k , S n ) (step S304). The currency additional information may be called currency data. Here, id n is a currency ID based on the face value of the currency (T n , ..., T 0 ) to be generated. When a currency (T n-1 , ..., T 0 ) matches the payment amount v, the value of id n may be the same as id n-1 , which is the currency ID of T n-1 of the currency (T n-1 , ..., T 0 ). Also, when a set of multiple currencies (T n -1 , ..., T 0 ) matches the payment amount v, the payment request unit 306 may generate currency additional information T n := (id n , pkU k , S n ) for each of these currencies ( T n-1 , ..., T 0 ). In this case, the value of id n for each Tn may be the same as the corresponding id n-1 , and the currency (T n , ..., T 0 ) described below is generated for each currency (T n-1 , ..., T 0 ).

 一方、通貨(Tn-1,・・・,T)が支払い額vを超える場合、又は複数の通貨(Tn-1,・・・,Tのセットでは支払い額vを超える場合、支払要求部306は、通貨(Tn-1,・・・,T)の一部を分割してidを生成する。すなわち、この場合のidは、通貨(Tn-1,・・・,T)におけるTn-1の通貨IDであるidn-1としてのNNL木を分割元として、支払要求部306が支払い額vだけ分割することで得られる分割先のNNL木の{Seed,深さ,開始点,終了点}である。斯かる分割を実行するための処理手順は、図15において説明した通りである。すなわち、ステップS304において、支払要求部306は、図15の処理手順を実行することでidを生成する。 On the other hand, if the currency (T n-1 , ..., T 0 ) exceeds the payment amount v, or if the set of multiple currencies (T n-1 , ..., T 0 ) 0 exceeds the payment amount v, the payment request unit 306 divides a part of the currency (T n-1 , ..., T 0 ) to generate id n . That is, id n in this case is {Seed, depth , start point, end point} of the NNL tree obtained by dividing the payment amount v by the payment request unit 306, using the NNL tree as id n-1 , which is the currency ID of T n-1 in the currency (T n-1 , ..., T 0 ), as the division source. The processing procedure for executing such division is as described in FIG. 15. That is, in step S304, the payment request unit 306 generates id n by executing the processing procedure of FIG. 15.

 支払要求部306は、通貨付加情報(Tn-1,・・・,T)に、生成した通貨付加情報T:=(id,pkU,S)を付加した通貨付加情報(T,・・・,T)を、利用者端末30-2に送信する(ステップS305)。 The payment request unit 306 sends the currency additional information (T n , ..., T 1 ) obtained by adding the generated currency additional information T n := (id n , pkU k , S n ) to the currency additional information (T n -1 , ..., T 1 ) to the user terminal 30-2 (step S305).

 利用者端末30-2の支払受付部307は、通貨付加情報(T,・・・,T)を検証する。具体的には、支払受付部307は、公開鍵pkUを用いてSを検証する。支払受付部307は、通貨付加情報に含まれるそれぞれの署名データを検証してもよい。例えば、支払受付部307は、通貨付加情報T:=(id,pkU,S)の署名Sを検証する。支払受付部307は、受信した通貨Tに通貨付加情報(T,・・・,T)を付加した通貨(T,・・・,T)を、利用者端末30-2の利用者通貨記憶部314に記憶させる。 The payment acceptance unit 307 of the user terminal 30-2 verifies the currency additional information (T n , ..., T 1 ). Specifically, the payment acceptance unit 307 verifies S n using the public key pkU j . The payment acceptance unit 307 may verify each signature data included in the currency additional information. For example, the payment acceptance unit 307 verifies the signature S n of the currency additional information T n := (id n , pkU j , S n ). The payment acceptance unit 307 stores the currency (T n , ..., T 0 ) obtained by adding the currency additional information (T n , ..., T 1 ) to the received currency T 0 in the user currency storage unit 314 of the user terminal 30-2.

 図17は、両替処理の流れの一例を示すシーケンス図である。両替処理は、利用者Uの両替を指示する操作に応じて開始される。 17 is a sequence diagram showing an example of the flow of a currency exchange process. The currency exchange process is started in response to an operation of a user Uj instructing currency exchange.

 利用者端末30の両替・預入要求部308は、両替の額面vを示す額面情報と、利用者鍵記憶部312に記憶された利用者鍵の公開鍵pkUと、を送信して、金融機関サーバ20に両替を要求する(ステップS401)。 The exchange/deposit request unit 308 of the user terminal 30 transmits denomination information indicating the denomination v of the exchange and the public key pkU j of the user key stored in the user key memory unit 312 to request an exchange from the financial institution server 20 (step S401).

 金融機関サーバ20の両替・預入受付部207は、両替を受け付ける(ステップS402)。両替・預入受付部207は、両替の受付を示す両替受付情報を利用者端末30に送信する(ステップS403)。 The exchange and deposit acceptance unit 207 of the financial institution server 20 accepts the exchange (step S402). The exchange and deposit acceptance unit 207 transmits exchange acceptance information indicating the acceptance of the exchange to the user terminal 30 (step S403).

 利用者端末30の両替・預入要求部308が、両替受付情報を受信すると、支払要求部306は、図16に示される支払処理にしたがって、金融機関サーバ20に支払を要求する(ステップS404)。 When the exchange/deposit request unit 308 of the user terminal 30 receives the exchange acceptance information, the payment request unit 306 requests payment from the financial institution server 20 according to the payment process shown in FIG. 16 (step S404).

 また、金融機関サーバ20の支払要求部208は、合計して両替額vとなる額v,・・・,vに両替する場合、v,・・・,vのそれぞれについて、図16に示される支払処理にしたがって利用者端末30に支払を要求する(ステップS405-1,S405-2)。 In addition, when exchanging amounts v1 , ..., vx that total to an exchange amount v, the payment request unit 208 of the financial institution server 20 requests payment from the user terminal 30 for each of v1 , ..., vx in accordance with the payment process shown in FIG. 16 (steps S405-1, S405-2).

 図18は、与信処理の流れの一例を示すシーケンス図である。与信処理は、利用者Uの与信を指示する操作に応じて開始される。 18 is a sequence diagram showing an example of the flow of a credit process. The credit process is started in response to an operation of a user Uj instructing credit.

 利用者端末30の与信要求部309は、利用可否を確認したい通貨Tを送信して、金融機関サーバ20に与信を要求する(ステップS501)。金融機関サーバ20の与信受付部210は、与信を受け付ける(ステップS502)。具体的には、与信受付部210は、通貨Tを使用中通貨記憶部216から検索して、Tを含むレコード、例えば(T,T)が存在すれば、与信成功ackを示す与信結果を利用者端末30に送信する(ステップS503)。 The credit request unit 309 of the user terminal 30 transmits the currency T0 for which the availability of the currency is to be confirmed, and requests credit from the financial institution server 20 (step S501). The credit acceptance unit 210 of the financial institution server 20 accepts the credit (step S502). Specifically, the credit acceptance unit 210 searches for the currency T0 in the currently used currency storage unit 216, and if a record including T0 , for example ( T1 , T0 ), exists, the credit acceptance unit 210 transmits a credit result indicating a credit success ack to the user terminal 30 (step S503).

 図19は、預入処理の流れの一例を示すシーケンス図である。預入処理は、利用者Uの預入を指示する操作に応じて開始される。 19 is a sequence diagram showing an example of the flow of a deposit process. The deposit process is started in response to an operation of a user Uj instructing a deposit.

 利用者端末30の両替・預入要求部308は、預入の額面vを示す額面情報と、利用者鍵記憶部312に記憶された利用者鍵の公開鍵pkUと、を送信して、金融機関サーバ20に両替を要求する(ステップS601)。 The currency exchange/deposit request unit 308 of the user terminal 30 transmits face amount information indicating the face amount v of the deposit and the public key pkU j of the user key stored in the user key memory unit 312 to request currency exchange from the financial institution server 20 (step S601).

 金融機関サーバ20の両替・預入受付部207は、預入を受け付ける(ステップS602)。両替・預入受付部207は、預入の受付を示す預入受付情報を利用者端末30に送信する(ステップS603)。 The exchange and deposit reception unit 207 of the financial institution server 20 accepts the deposit (step S602). The exchange and deposit reception unit 207 transmits deposit acceptance information indicating the acceptance of the deposit to the user terminal 30 (step S603).

 利用者端末30の両替・預入要求部308が、預入受付情報を受信すると、支払要求部306は、図13に示される支払処理にしたがって、金融機関サーバ20に支払を要求する(ステップS604)。 When the exchange/deposit request unit 308 of the user terminal 30 receives the deposit acceptance information, the payment request unit 306 requests payment from the financial institution server 20 according to the payment process shown in FIG. 13 (step S604).

 図20は、還収処理の流れの一例を示すシーケンス図である。還収処理は、金融機関Bの還収を指示する操作に応じて開始される。 20 is a sequence diagram showing an example of the flow of the refund process. The refund process is started in response to an operation of the financial institution Bi to instruct a refund.

 金融機関サーバ20の還収要求部211は、還収する通貨データを送信して、発行銀行サーバ10に還収を要求する(ステップS701)。還収する通貨データは、未使用通貨でも使用済通貨でも良い。未使用通貨を還収する場合は、還収要求部211は、未使用通貨Tを未使用通貨記憶部215から抜き出して、発行銀行サーバ10に送信する。 The refund request unit 211 of the financial institution server 20 transmits the currency data to be refunded and requests a refund from the issuing bank server 10 (step S701). The currency data to be refunded may be unused currency or used currency. When refunding unused currency, the refund request unit 211 extracts unused currency T0 from the unused currency storage unit 215 and transmits it to the issuing bank server 10.

 また、使用済通貨を還収する場合は、還収要求部211は、使用済通貨(T,・・・,T)を使用済通貨記憶部218から抜き出して、発行銀行サーバ10に送信する。また、使用済通貨(T,・・・,Tk+1,T)が更新済みである場合には、還収要求部211は、更新済通貨記憶部217から更新前の通貨付加情報(T,・・・,T)を読み出して、使用済通貨(T,・・・,Tk+1,T)に結合し、結合された通貨(T,・・・,T)を発行銀行サーバ10に送信する。 Furthermore, when refunding used currency, the refund request unit 211 extracts the used currency (T n , ..., T 0 ) from the used currency storage unit 218 and transmits it to the issuing bank server 10. Furthermore, if the used currency (T m , ..., T k+1 , T 0 ) has been updated, the refund request unit 211 reads out the currency additional information (T k , ..., T 1 ) before the update from the updated currency storage unit 217, combines it with the used currency (T m , ..., T k+1 , T 0 ), and transmits the combined currency (T m , ..., T 0 ) to the issuing bank server 10.

 発行銀行サーバ10の還収受付部105は、還収を受け付ける(ステップS702)。具体的には、還収受付部105は、受信した通貨データを還収済通貨記憶部107に記憶させる。この際、還収受付部105は、各通貨付加情報に含まれている署名を検証することで、還収を受け付けた通貨の正当性を確認してもよい。例えば、通貨付加情報Tに含まれている署名Sは、通貨付加情報Tn-1に含まれている公開鍵を用いて検証することができる。 The refund acceptance unit 105 of the issuing bank server 10 accepts the refund (step S702). Specifically, the refund acceptance unit 105 stores the received currency data in the refunded currency storage unit 107. At this time, the refund acceptance unit 105 may confirm the validity of the currency for which the refund has been accepted by verifying the signature included in each currency additional information. For example, the signature S n included in the currency additional information T n can be verified using the public key included in the currency additional information T n-1 .

 (第1実施形態の効果)
 上述したように、第1実施形態によれば、通貨データ(通貨トークン、署名連鎖)から生じ得る、プライバシに関する情報の露呈を抑えることができる。 (Effects of the First Embodiment)
As described above, according to the first embodiment, it is possible to suppress the disclosure of privacy-related information that may arise from currency data (currency tokens, signature chains).

 具体的には、店舗及び個人ユーザそれぞれの公開鍵の利用に制約(例えば1回限りまたは少数回の利用とする)を設けたことで、複数の取引間の仮名(公開鍵)による個人の絞り込みを防ぐことができる。また、個人ユーザは、取引相手の店舗への取引履歴の露呈を防ぐことができる。 Specifically, by placing restrictions on the use of the public keys of each store and individual user (for example, limiting use to one time or a small number of times), it is possible to prevent individuals from being narrowed down by using pseudonyms (public keys) across multiple transactions. In addition, individual users can prevent their transaction history from being revealed to stores with which they do business.

 また、NNL木を採用したので、1取引に利用される通貨枚数を低減させることができ、結果として、同一取引内の複数の通貨データに付与された仮名(公開鍵)による個人の絞り込みを防ぐことができる。 In addition, by adopting an NNL tree, it is possible to reduce the number of coins used in one transaction, which in turn makes it possible to prevent individuals from being narrowed down by pseudonyms (public keys) assigned to multiple currency data in the same transaction.

 また、NNL木を採用したことで、変動額面方式を効率的に実現可能とすることができる。具体的には、通貨の最小単位を固定としつつも、最小単位の倍数の通貨を発行することができ、最小単位ごとではなく、通貨単位で署名及び検証を可能とすることができる。また、NNL木方式を採用することで、ハッシュ演算の回数を削減することもできる。 Furthermore, by adopting the NNL tree, it is possible to efficiently realize a floating denomination system. Specifically, while the minimum unit of currency is fixed, it is possible to issue currency in multiples of the minimum unit, making it possible to sign and verify in units of currency rather than in units of the minimum unit. Furthermore, by adopting the NNL tree method, it is also possible to reduce the number of hash calculations.

 (第2実施形態)
 次に、第2実施形態について説明する。第2実施形態では第1実施形態と異なる点について説明する。第2実施形態において特に言及されない点については、第1実施形態と同様でもよい。 Second Embodiment
Next, a second embodiment will be described. In the second embodiment, differences from the first embodiment will be described. Points not specifically mentioned in the second embodiment may be the same as those in the first embodiment.

 第1実施形態では、引出、支払等によって通貨が移転する際に、通貨単位で検証が行われる必要がある。したがって、例えば、2千円の通貨を2つ有している利用者が3千円を支払いたい場合、1つの2千円と、もう1つの2千円から分割した千円との2つの通貨を支払えばよいが、この場合、支払う側は通貨ごとに署名を生成し、支払を受ける側は通貨ごとに検証を行う必要がある。取引される通貨の数が多くなればなるほど、このような署名及び検証の負担は大きくなる。第2実施形態では、このような負担を軽減するための方法が開示される。 In the first embodiment, when currency is transferred by withdrawal, payment, etc., verification must be performed on a currency-by-currency basis. Therefore, for example, if a user who has two 2,000 yen currency deposits wishes to pay 3,000 yen, they can pay two currencies: one 2,000 yen deposit and one 1,000 yen deposit divided from the other 2,000 yen deposit. In this case, the payer must generate a signature for each currency, and the payment recipient must verify each currency. The greater the number of currencies traded, the greater the burden of such signatures and verifications. In the second embodiment, a method for reducing this burden is disclosed.

 第2実施形態では、通貨のハッシュ木を生成して、そのハッシュ木のルートに署名することによって、対象とする通貨をまとめて署名する点が第1実施形態と異なる。以下の第2実施形態の説明において、第1実施形態と同様の機能構成を有するものには、第1実施形態の説明で用いた符号と同様の符号を付与し、その説明を省略する。 The second embodiment differs from the first embodiment in that a hash tree of currencies is generated and the root of the hash tree is signed to sign all the target currencies at once. In the following description of the second embodiment, components having the same functional configuration as those in the first embodiment are given the same reference numerals as those used in the description of the first embodiment, and descriptions of these components are omitted.

 (第2実施形態において使用する基本技術)
 まず、本実施例において使用する基本技術について説明する。本実施例においてマークルツリー(参考文献[2])と呼ばれるハッシュ木を利用した4つの関数MHTree、MHPath、MHVerを使用する。 (Basic Technology Used in the Second Embodiment)
First, the basic technology used in this embodiment will be described. In this embodiment, four functions MHTree, MHPath, and MHVer that utilize a hash tree called a Merkle tree (reference document [2]) are used.

 図21は、第2実施形態に係るマークルツリーのMHTree関数について説明するための図である。MHTree関数は、データセットからハッシュ木を生成する関数である。 FIG. 21 is a diagram for explaining the MHTree function of a Merkle tree according to the second embodiment. The MHTree function is a function that generates a hash tree from a data set.

 具体的には、MHTree関数は、データセットDを入力しDを構成する各データのハッシュ値を葉ノードに対応付けることで生成される2分木であるハッシュツリーL={(leaf_id,leaf_val)}を出力する関数である。ここで、頂点hをルートという。以下、MHTree(D)->Lのように記述する。なお、図21は、n=6のデータセットである。各葉ノードの値は当該葉ノードに対応するデータのハッシュ値である。7番目と8番目の葉ノードには、2分木の構成を可能とするために"00"が補完されている。 Specifically, the MHTree function is a function that inputs a dataset D and outputs a hash tree L = {(leaf_id, leaf_val)}, which is a binary tree generated by associating the hash value of each piece of data that makes up D with a leaf node. Here, the vertex h is called the root. Below, it is written as MHTree(D)->L. Note that Figure 21 shows a dataset with n=6. The value of each leaf node is the hash value of the data that corresponds to that leaf node. The seventh and eighth leaf nodes are complemented with "00" to enable the construction of a binary tree.

 図22は、第2実施形態に係るマークルツリーのMHPath関数について説明するための第一の図である。MHPath関数は、部分データセットを認証するために必要なパスを生成する関数である。 FIG. 22 is a first diagram for explaining the MHPath function of a Merkle tree according to the second embodiment. The MHPath function is a function that generates a path required to authenticate a partial data set.

 具体的には、MHPath関数は、認証したい部分データセットD'(図22の場合、D'={d0,d4,d5})を入力して、その認証に必要な認証用のパスAP(図19のh001,h01,h11)とルートhを出力する関数である。以下、MHPath(D',L)->(AP,h)のように記述する。 Specifically, the MHPath function is a function that inputs the partial data set D' to be authenticated (in the case of Figure 22, D' = {d0, d4, d5}) and outputs the authentication path AP (h001, h01, h11 in Figure 19) and route h required for that authentication. Below, it is written as MHPath (D', L) -> (AP, h).

 図23は、第2実施形態に係るマークルツリーのMHVer関数について説明するための図である。MHVer関数は、部分データセットの認証パスによる検証を行う関数である。 FIG. 23 is a diagram for explaining the MHVer function of a Merkle tree according to the second embodiment. The MHVer function is a function that performs verification using the authentication path of a partial data set.

 具体的には、MHVer関数は、認証に必要なパスAP(図23のh001,h01,h11)とルートhから、サブデータD'(図23の場合、D'={d0,d4,d5})を検証する関数である。以下、MHver(AP,h,D')->T or Fのように記述する。MHver関数は、検証に成功した場合(D'が正しい場合)Tを出力し、検証に失敗した場合(D'が正しくない場合)Fを出力する。D'が正しいとは、D'に属する全てのデータが改ざんされていないことをいう。 Specifically, the MHVer function is a function that verifies sub-data D' (D' = {d0, d4, d5} in the case of Figure 23) from the path AP required for authentication (h001, h01, h11 in Figure 23) and the route h. Below, it is written as MHver (AP, h, D') -> T or F. The MHver function outputs T if the verification is successful (if D' is correct), and outputs F if the verification fails (if D' is incorrect). D' being correct means that none of the data belonging to D' has been tampered with.

 (第2実施形態に係る電子通貨システムの動作例)
 ここでは、図14のステップS202において、額面vに一致する通貨が複数の通貨のセットT:=(T_t):=((id_t,y_t,B,pkB,S_t),t=1,・・・,s,Σv_t=v)であったとする。なお、v_tは、Tを構成する通貨セットのうちのt番目の通貨T_tの金額である。例えば、各v_tが1万円であり、8万円の引出を受け付けた場合、s=8である。図24には、それぞれが1万円であるT_tが8枚有る状態が示されている。なお、例えば、金融機関サーバ20の未使用通貨記憶部215に、10万円の通貨しかない等のように、1万円×8の通貨が無い場合、引出受付部205は、図15の処理を実行することで、既存の10万円から8枚の1万円を分割すればよい。なお、第2実施形態において、各T_tは、発行直後の通貨に限らず、発行後の移転が行われた(つまり、通貨付加情報が付加された)通貨であってもよい。この場合、移転の過程において分割(つまり、通貨IDのNNL木の分割)が行われた通貨であってもよい。 (Example of operation of electronic currency system according to the second embodiment)
Here, in step S202 of FIG. 14, it is assumed that the currency matching the face value v is a set of multiple currencies T 0 :=(T 0 _t ):=((id 0 _t, y_t, B i , pkB i , S 0 _t), t=1, ..., s, Σv_t=v). Note that v_t is the amount of the t-th currency T 0 _t among the currency sets constituting T 0. For example, if each v_t is 10,000 yen and a withdrawal of 80,000 yen is accepted, then s=8. FIG. 24 shows a state in which there are eight T 0 _t, each of which is 10,000 yen. Note that if there is no 10,000 yen x 8 currency, such as, for example, if there is only 100,000 yen currency in the unused currency storage unit 215 of the financial institution server 20, the withdrawal acceptance unit 205 can execute the process of FIG. 15 to divide the eight 10,000 yen coins from the existing 100,000 yen. In the second embodiment, each T 0 _t is not limited to a currency immediately after issuance, but may be a currency that has been transferred after issuance (i.e., currency additional information has been added). In this case, the currency may be a currency that has been divided (i.e., the NNL tree of the currency ID has been divided) during the transfer process.

 金融機関サーバ20の引出受付部205は、ハッシュ木L=MHTree({T_t}{t=1,・・・,s})を生成し、秘密鍵skBを用いてハッシュ木Lのルートノードのハッシュ値RH(RootHash)及びpkUのセットに対する署名Sを生成する。すなわち、ハッシュ木Lはその葉ノードに対してTを構成する各T_tを割り当てることで生成されるハッシュ木である。引出受付部205は、T_tごとに、当該T_t対して通貨付加情報T_t:=(id_t,pkU,RH,AP_t,S)を付加することで使用中通貨(T_t,T_t)を生成し、使用中通貨記憶部216に記憶させる。ここで、AP_tは、MHPath(T_t,L)->(AP_t,RH)によって得られるRHの認証に必要なパスである。また、各id_tの値は、それぞれに対応するid_tと同じでよい。この状態を図25に示す。各T_tが含む署名は同じSであることが分かる。以下、通貨(T_t,T_t)のセット(ここでは8個のセット)を(T,T)と記載する。 The withdrawal acceptance unit 205 of the financial institution server 20 generates a hash tree L1 = MHTree ({ T0_t } {t = 1, ..., s}) and generates a signature S1 for the set of the hash value RH (RootHash) of the root node of the hash tree L1 and pkUj using the private key skB i . In other words, the hash tree L1 is a hash tree generated by assigning each T0_t constituting T0 to its leaf nodes. For each T0_t , the withdrawal acceptance unit 205 generates a currency in use ( T1_t , T0_t ) by adding currency additional information T1_t : = ( id1_t , pkUj , RH, AP_t , S1 ) to the T0_t, and stores it in the currency in use memory unit 216. Here, AP_t is a path required for authenticating RH obtained by MHPath(T 0 _t, L 1 )->(AP_t, RH). The value of each id 1 _t may be the same as the corresponding id 0 _t. This state is shown in FIG. 25. It can be seen that each T 1 _t contains the same signature S 1. Hereinafter, a set of currencies (T 1 _t, T 0 _t) (here, a set of eight) is written as (T 1 , T 0 ).

 続いて、引出受付部205は、使用中通貨セット(T,T)の通貨データセットと、金融機関公開鍵証明書Auth(pkB)とを利用者端末30に送信する(ステップS203)。利用者端末30の引出要求部305は、使用中通貨セット(T,T)の通貨データセットと、金融機関公開鍵証明書Auth(pkB)とを検証し、使用中通貨セット(T,T)を利用者通貨記憶部314に記憶させる。この際、引出要求部305は、通貨セット(T,T)の検証に関しては、(T,T)のうちのいずれか1つの通貨(T_t,T_t)についてのみを検証すればよい。具体的には、いずれか1つのT_tについてMHver(AP_t,RH,T)がTであることを検証し、かつ、当該T_tが含むSを検証する。引出要求部305は、他のT_tについては、検証対象としたT_tと同じSを含むことを確認すればよい。 Next, the withdrawal acceptance unit 205 transmits the currency data set of the currency set (T 1 , T 0 ) in use and the financial institution public key certificate Auth(pkB i ) to the user terminal 30 (step S203). The withdrawal request unit 305 of the user terminal 30 verifies the currency data set of the currency set (T 1 , T 0 ) in use and the financial institution public key certificate Auth(pkB i ), and stores the currency set (T 1 , T 0 ) in use in the user currency storage unit 314. At this time, the withdrawal request unit 305 needs to verify only one of the currencies (T 1 _t , T 0 _t ) in (T 1 , T 0 ) when verifying the currency set (T 1 , T 0 ). Specifically, for any one of T 1 _t, MHver(AP_t, RH, T 0 ) is verified to be T, and S 1 included in the T 1 _t is verified. For other T 1 _t, the withdrawal request unit 305 only needs to confirm that they include the same S 1 as the verified T 1 _t.

 なお、利用者端末30の利用者は、通貨セットとして引き出した(T,T)を構成していた各(T_t,T_t)を個別に(バラバラに)利用することができる。T_tは、通貨セットの署名及び検証コストの軽減のためにRH及びAP_tを含む点を除いて、第1実施形態における通貨付加情報と同様に通貨の持ち主(流通過程)の履歴を示すものであり、それぞれ個別に通貨の真正性が担保されているからである。 The user of the user terminal 30 can use each of (T 1 _t, T 0 _t ) that constituted the withdrawn currency set (T 1 , T 0 ) individually (separately). This is because T 1 _t indicates the history of the currency owner (circulation process) like the currency additional information in the first embodiment, except that it includes RH and AP_t to reduce the signature and verification costs of the currency set, and the authenticity of each currency is guaranteed individually.

 なお、上記した処理は、図16において、複数の貨幣のセットで支払が行われる際におけるステップS304及びS305においても実行される。 The above process is also performed in steps S304 and S305 in FIG. 16 when a payment is made using a set of multiple coins.

 また、図17(両替時)及び図19(預入時)から呼び出される図16の処理においても実行される。 It is also executed in the process of FIG. 16 called from FIG. 17 (when exchanging money) and FIG. 19 (when depositing money).

 更に、その他の全てのフェーズ(発行時及び還収時等)において図16の処理は適用可能である。例えば、還収時であれば、還収対象の通貨の一括渡しを効率化することができる。 Furthermore, the process in FIG. 16 can be applied in all other phases (such as when issuing and when redeeming). For example, when redeeming, it is possible to efficiently transfer the currency to be redeemed in one lump sum.

 上述したように、第2実施形態によれば、第1実施形態で説明した効果に加えて、複数の通貨を移転する際の署名コスト及び検証コストを軽減することができるという効果がある。 As described above, in addition to the effects described in the first embodiment, the second embodiment has the effect of reducing the signature and verification costs when transferring multiple currencies.

 (ハードウェア構成例)
 第1実施形態と第2実施形態に共通のハードウェア構成例を説明する。電子通貨システム1の備える各装置(及び情報システムの備える情報処理装置)の各部は、例えば、コンピュータに、本実施の形態で説明する処理内容を記述したプログラムを実行させることにより実現可能である。なお、この「コンピュータ」は、物理マシンであってもよいし、クラウド上の仮想マシンであってもよい。仮想マシンを使用する場合、ここで説明する「ハードウェア」は仮想的なハードウェアである。 (Hardware configuration example)
An example of a hardware configuration common to the first and second embodiments will be described. Each part of each device (and information processing device) included in the electronic currency system 1 can be realized, for example, by having a computer execute a program describing the processing contents described in this embodiment. Note that this "computer" may be a physical machine or a virtual machine on the cloud. When a virtual machine is used, the "hardware" described here is virtual hardware.

 上記プログラムは、コンピュータが読み取り可能な記録媒体(可搬メモリ等)に記録して、保存したり、配布したりすることが可能である。また、上記プログラムをインターネットや電子メール等、ネットワークを通して提供することも可能である。 The above program can be recorded on a computer-readable recording medium (such as a portable memory) and stored or distributed. The above program can also be provided via a network, such as the Internet or e-mail.

 図26は、上記コンピュータのハードウェア構成例を示す図である。図26のコンピュータは、それぞれバスBで相互に接続されているドライブ装置1000、補助記憶装置1002、メモリ装置1003、CPU1004、インタフェース装置1005、表示装置1006、入力装置1007、出力装置1008等を有する。 FIG. 26 is a diagram showing an example of the hardware configuration of the computer. The computer in FIG. 26 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, etc., all of which are interconnected via a bus B.

 当該コンピュータでの処理を実現するプログラムは、例えば、CD-ROM又はメモリカード等の記録媒体1001によって提供される。プログラムを記憶した記録媒体1001がドライブ装置1000にセットされると、プログラムが記録媒体1001からドライブ装置1000を介して補助記憶装置1002にインストールされる。但し、プログラムのインストールは必ずしも記録媒体1001より行う必要はなく、ネットワークを介して他のコンピュータよりダウンロードするようにしてもよい。補助記憶装置1002は、インストールされたプログラムを格納すると共に、必要なファイルやデータ等を格納する。 The program that realizes the processing on the computer is provided by a recording medium 1001, such as a CD-ROM or a memory card. When the recording medium 1001 storing the program is set in the drive device 1000, the program is installed from the recording medium 1001 via the drive device 1000 into the auxiliary storage device 1002. However, the program does not necessarily have to be installed from the recording medium 1001, but may be downloaded from another computer via a network. The auxiliary storage device 1002 stores the installed program as well as necessary files, data, etc.

 メモリ装置1003は、プログラムの起動指示があった場合に、補助記憶装置1002からプログラムを読み出して格納する。CPU1004は、メモリ装置1003に格納されたプログラムに従って、当該装置に係る機能を実現する。インタフェース装置1005は、ネットワークに接続するためのインタフェースとして用いられる。表示装置1006はプログラムによるGUI(Graphical User Interface)等を表示する。入力装置1007はキーボード及びマウス、ボタン、又はタッチパネル等で構成され、様々な操作指示を入力させるために用いられる。出力装置1008は演算結果を出力する。なお、上記コンピュータは、CPU1004の代わりにGPU(Graphics Processing Unit)またはTPU(Tensor processing unit)を備えていても良く、CPU1004に加えて、GPUまたはTPUを備えていても良い。その場合、例えばニューラルネットワーク等の特殊な演算が必要な処理をGPUまたはTPUが実行し、その他の処理をCPU1004が実行する、というように処理を分担して実行しても良い。 When an instruction to start a program is received, the memory device 1003 reads out and stores the program from the auxiliary storage device 1002. The CPU 1004 realizes the functions related to the device according to the program stored in the memory device 1003. The interface device 1005 is used as an interface for connecting to a network. The display device 1006 displays a GUI (Graphical User Interface) or the like according to a program. The input device 1007 is composed of a keyboard, mouse, buttons, a touch panel, or the like, and is used to input various operation instructions. The output device 1008 outputs the results of calculations. Note that the above computer may be equipped with a GPU (Graphics Processing Unit) or TPU (Tensor processing unit) instead of the CPU 1004, or may be equipped with a GPU or TPU in addition to the CPU 1004. In that case, the processes may be shared and executed, for example, the GPU or TPU executes processes that require special calculations such as neural networks, and the CPU 1004 executes other processes.

 以上の実施形態に関し、更に以下の付記1、付記2を開示する。 With respect to the above embodiment, the following Supplementary Notes 1 and 2 are further disclosed.

 <付記1>
(付記項1)
 公開鍵と署名との組を有するデータが複数個連結された情報を情報処理装置間で送受信する情報システムにおける情報処理装置であって、
 メモリと、
 前記メモリに接続された少なくとも1つのプロセッサと、
 を含み、
 前記プロセッサは、
 公開鍵と秘密鍵の組を生成してから、ある期間が経過した後に、又は、生成した公開鍵又は秘密鍵がある回数だけ使用された後に、新たに公開鍵と秘密鍵の組を生成し、新たに生成した前記公開鍵の証明書を取得し、
 新たに生成した前記公開鍵を含む情報を送信又は受信する
 情報処理装置。
(付記項2)
 前記情報処理装置の保有者は店舗であり、前記鍵生成部により生成される公開鍵は、前記店舗の仮名を示す公開鍵である
 付記項1に記載の情報処理装置。
(付記項3)
 前記プロセッサ及びメモリは、セキュアハードウェアで構成されている
 付記項1又は2に記載の情報処理装置。
(付記項4)
 前記プロセッサは、秘密鍵を用いたワンタイム署名が行われた後に、新たに公開鍵と秘密鍵の組を生成する
 付記項1ないし3のうちいずれか1項に記載の情報処理装置。
(付記項5)
 付記項1ないし5のうちいずれか1項に記載の情報処理装置と、前記証明書の生成を行うサーバとを含む情報システム。
(付記項6)
 公開鍵と署名との組を有するデータが複数個連結された情報を情報処理装置間で送受信する情報システムにおける情報処理装置が実行する情報処理方法であって、
 公開鍵と秘密鍵の組を生成してから、ある期間が経過した後に、又は、生成した公開鍵又は秘密鍵がある回数だけ使用された後に、新たに公開鍵と秘密鍵の組を生成し、新たに生成した前記公開鍵の証明書を取得する鍵生成ステップと、
 新たに生成した前記公開鍵を含む情報を送信又は受信する情報流通ステップと
 を備える情報処理方法。
(付記項7)
 コンピュータを、付記項1ないし5のうちいずれか1項における情報処理装置の各部として機能させるためのプログラムを記憶した非一時的記憶媒体。 <Appendix 1>
(Additional Note 1)
An information processing device in an information system in which information in which a plurality of pieces of data each having a pair of a public key and a signature are linked is transmitted and received between information processing devices,
Memory,
at least one processor coupled to the memory;
Including,
The processor,
After a certain period of time has elapsed since the generation of the public key and private key pair, or after the generated public key or private key has been used a certain number of times, a new public key and private key pair is generated and a certificate for the newly generated public key is obtained;
An information processing device that transmits or receives information including the newly generated public key.
(Additional Note 2)
2. The information processing device according to claim 1, wherein an owner of the information processing device is a store, and the public key generated by the key generating unit is a public key indicating a pseudonym of the store.
(Additional Note 3)
3. The information processing device according to claim 1, wherein the processor and the memory are configured with secure hardware.
(Additional Note 4)
4. The information processing device according to claim 1, wherein the processor generates a new pair of a public key and a private key after a one-time signature is performed using the private key.
(Additional Note 5)
6. An information system including the information processing device according to any one of claims 1 to 5, and a server that generates the certificate.
(Additional Note 6)
1. An information processing method executed by an information processing device in an information system in which information is transmitted and received between information processing devices, the information being a concatenation of a plurality of data pieces each having a pair of a public key and a signature, comprising:
a key generation step of generating a new public key and private key pair and obtaining a certificate for the newly generated public key after a certain period of time has elapsed since the generation of the public key and private key pair, or after the generated public key or private key has been used a certain number of times;
an information distribution step of transmitting or receiving information including the newly generated public key.
(Additional Note 7)
A non-transitory storage medium storing a program for causing a computer to function as each part of the information processing device according to any one of claims 1 to 5.

 <付記2>
(付記項1)
 メモリと、
 前記メモリに接続された少なくとも1つのプロセッサと、
 を含み、
 前記プロセッサは、
 移転する金額を電子通貨の最小単位で除した値以上の数の葉ノードを含むNNL木の深さを計算し、
 第1の電子通貨に付加された第1のNNL木において、前記深さに基づいて前記第1のNNL木の部分木である第2のNNL木のルートノードを決定し、
 前記第1のNNL木のSeedに基づいて前記ルートノードに対応する乱数を計算し、
 前記葉ノードのうち、前記金額に対応させる葉ノードの範囲を決定し、
 前記乱数、前記深さ、前記範囲を示す情報を第2の電子通貨に付加する情報として生成する
 通貨処理装置。
(付記項2)
 メモリと、
 前記メモリに接続された少なくとも1つのプロセッサと、
 を含み、
 前記プロセッサは、
 発行対象の電子通貨の金額を、電子通貨の最小単位で除した値以上の数の葉ノードを含むNNL木の深さを計算し、
 前記NNL木のSeedとなる乱数を生成し、
 前記葉ノードのうち、前記金額に対応させる葉ノードの範囲を決定し、
 前記乱数、前記深さ、前記範囲を示す情報を前記発行対象の電子通貨に付加する情報として生成する
 通貨処理装置。
(付記項3)
 メモリと、
 前記メモリに接続された少なくとも1つのプロセッサと、
 を含み、
 前記プロセッサは、
 移転対象とする複数の電子通貨のそれぞれハッシュ値に基づいてマークルツリーを生成し、
 前記マークルツリーのルートノードのハッシュ値と前記ハッシュ値に対する署名とを前記複数の電子通貨のそれぞれに付加する
 通貨処理装置。
(付記項4)
 移転する金額を電子通貨の最小単位で除した値以上の数の葉ノードを含むNNL木の深さを計算する深さ計算手順と、
 第1の電子通貨に付加された第1のNNL木において、前記深さに基づいて前記第1のNNL木の部分木である第2のNNL木のルートノードを決定するようにルートノード決定手順と、
 前記第1のNNL木のSeedに基づいて前記ルートノードに対応する乱数を計算する乱数計算手順と、
 前記葉ノードのうち、前記金額に対応させる葉ノードの範囲を決定する葉ノード決定手順と、
 前記乱数、前記深さ、前記範囲を示す情報を第2の電子通貨に付加する情報として生成する通貨付加情報生成手順と、
をコンピュータが実行する通貨処理方法。
(付記項5)
 発行対象の電子通貨の金額を、電子通貨の最小単位で除した値以上の数の葉ノードを含むNNL木の深さを計算する深さ計算手順と、
 前記NNL木のSeedとなる乱数を生成する乱数生成手順と、
 前記葉ノードのうち、前記金額に対応させる葉ノードの範囲を決定する葉ノード決定手順と、
 前記乱数、前記深さ、前記範囲を示す情報を前記発行対象の電子通貨に付加する情報として生成する通貨付加情報生成手順と、
をコンピュータが実行する通貨処理方法。
(付記項6)
 移転対象とする複数の電子通貨のそれぞれハッシュ値に基づいてマークルツリーを生成するマークルツリー生成手順と、
 前記マークルツリーのルートノードのハッシュ値と前記ハッシュ値に対する署名とを前記複数の電子通貨のそれぞれに付加する付加手順と、
をコンピュータが実行する通貨処理方法。
(付記項7)
 付記項4乃至6いずれか一項記載の通貨処理方法をコンピュータに実行させることを特徴とするプログラムを記憶した非一時的記憶媒体。 <Appendix 2>
(Additional Note 1)
Memory,
at least one processor coupled to the memory;
Including,
The processor,
Calculate the depth of the NNL tree that includes leaf nodes whose number is equal to or greater than the value obtained by dividing the amount to be transferred by the smallest unit of electronic currency;
determining a root node of a second NNL tree, which is a subtree of the first NNL tree, based on the depth in the first NNL tree added to the first electronic currency;
Calculating a random number corresponding to the root node based on a seed of the first NNL tree;
determining a range of leaf nodes to be associated with the amount among the leaf nodes;
generating information indicating said random number, said depth, and said range as information to be added to the second electronic currency.
(Additional Note 2)
Memory,
at least one processor coupled to the memory;
Including,
The processor,
Calculate the depth of an NNL tree including leaf nodes whose number is equal to or greater than the value obtained by dividing the amount of the electronic currency to be issued by the smallest unit of the electronic currency;
Generate random numbers to be seeds of the NNL tree;
determining a range of leaf nodes to be associated with the amount among the leaf nodes;
a currency processing device that generates information indicating said random number, said depth, and said range as information to be added to said electronic currency to be issued.
(Additional Note 3)
Memory,
at least one processor coupled to the memory;
Including,
The processor,
A Merkle tree is generated based on the hash values of each of the multiple electronic currencies to be transferred;
a hash value of a root node of the Merkle tree and a signature for the hash value, the hash value being added to each of the plurality of electronic currencies.
(Additional Note 4)
a depth calculation step for calculating the depth of an NNL tree including leaf nodes whose number is equal to or greater than the value obtained by dividing the amount to be transferred by the smallest unit of electronic currency;
a root node determination step for determining a root node of a second NNL tree, which is a subtree of the first NNL tree, based on the depth in a first NNL tree added to the first electronic currency;
a random number calculation step for calculating a random number corresponding to the root node based on a seed of the first NNL tree;
a leaf node determination step for determining a range of leaf nodes to be associated with the amount among the leaf nodes;
a currency additional information generating step of generating information indicating the random number, the depth, and the range as information to be added to the second electronic currency;
A computer implemented currency processing method.
(Additional Note 5)
a depth calculation step of calculating the depth of an NNL tree including leaf nodes whose number is equal to or greater than the value obtained by dividing the amount of electronic currency to be issued by the smallest unit of the electronic currency;
A random number generation procedure for generating random numbers to be seeds of the NNL tree;
a leaf node determination step for determining a range of leaf nodes to be associated with the amount among the leaf nodes;
a currency additional information generating step of generating information indicating the random number, the depth, and the range as information to be added to the electronic currency to be issued;
A computer implemented currency processing method.
(Additional Note 6)
A Merkle tree generation step of generating a Merkle tree based on hash values of each of a plurality of electronic currencies to be transferred;
a hash value of a root node of the Merkle tree and a signature for the hash value are added to each of the plurality of electronic currencies;
A computer implemented currency processing method.
(Additional Note 7)
A non-transitory storage medium storing a program for causing a computer to execute the currency processing method according to any one of claims 4 to 6.

 (参考文献)
 [1]Revocation and Tracing Schemes for Stateless Receivers, Dalit Naor, Moni Naor, and Jeff Lotspiech, CRYPTO2001
 [2]Jakobsson M., Leighton T., Micali S., Szydlo M. (2003) Fractal Merkle Tree Representation and Traversal. In: Joye M. (eds) Topics in Cryptology - CT-RSA 2003. CT-RSA 2003. Lecture Notes in Computer Science, vol 2612. Springer, Berlin, Heidelberg.
 以上、本発明の実施の形態について詳述したが、本発明は斯かる特定の実施形態に限定されるものではなく、請求の範囲に記載された本発明の要旨の範囲内において、種々の変形・変更が可能である。 (References)
[1] Revocation and Tracing Schemes for Stateless Receivers, Dalit Naor, Moni Naor, and Jeff Lotspiech, CRYPTO2001
[2] Jakobsson M., Leighton T., Micali S., Szydlo M. (2003) Fractal Merkle Tree Representation and Traversal. In: Joye M. (eds) Topics in Cryptology - CT-RSA 2003. CT-RSA 2003. Lecture Notes in Computer Science, vol 2612. Springer, Berlin, Heidelberg.
Although the embodiment of the present invention has been described in detail above, the present invention is not limited to such a specific embodiment, and various modifications and changes are possible within the scope of the gist of the present invention described in the claims.

1 電子通貨システム
10 発行銀行サーバ
11 ルート認証局サーバ
20 金融機関サーバ
25 中間認証局サーバ
30 利用者端末
101 通貨発行鍵生成部
102 通貨発行証明書発行部
103 金融機関公開鍵証明書発行情報取得部
104 通貨発行部
105 還収受付部
106 通貨発行鍵記憶部
107 還収済通貨記憶部
111 ルート認証鍵生成部
112 ルート証明書発行部
113 金融機関認証部
114 金融機関公開鍵証明書発行情報送信部
115 ルート認証鍵記憶部
116 金融機関公開鍵証明書発行情報記憶部
201 通貨発行証明書発行受付部
202 金融機関鍵生成部
203 金融機関認証要求部
204 通貨発行受付部
205 引出受付部
206 更新処理部
207 両替・預入受付部
208 支払要求部
209 支払受付部
210 与信受付部
211 還収要求部
212 通貨発行証明書記憶部
213 金融機関鍵記憶部
214 金融機関公開鍵証明書記憶部
215 未使用通貨記憶部
216 使用中通貨記憶部
217 更新済通貨記憶部
218 使用済通貨記憶部
251 中間認証鍵生成部
252 中間証明書発行部
253 利用者認証部
254 中間認証鍵記憶部
255 利用者公開鍵証明書発行情報記憶部
301 通貨発行証明書発行受付部
302 中間証明書発行受付部
303 利用者鍵生成部
304 利用者認証要求部
305 引出要求部
306 支払要求部
307 支払受付部
308 両替・預入要求部
309 与信要求部
310 通貨発行証明書記憶部
311 中間証明書記憶部
312 利用者鍵記憶部
313 利用者公開鍵証明書記憶部
314 利用者通貨記憶部
320 鍵生成部
330 セキュア処理部
340 通貨流通部
1000 ドライブ装置
1001 記録媒体
1002 補助記憶装置
1003 メモリ装置
1004 CPU
1005 インタフェース装置
1006 表示装置
1007 入力装置
1008 出力装置 1 Electronic currency system 10 Issuing bank server 11 Root certification authority server 20 Financial institution server 25 Intermediate certification authority server 30 User terminal 101 Currency issuance key generation unit 102 Currency issuance certificate issuance unit 103 Financial institution public key certificate issuance information acquisition unit 104 Currency issuance unit 105 Withdrawal acceptance unit 106 Currency issuance key storage unit 107 Withdrawn currency storage unit 111 Root certification key generation unit 112 Root certification issuance unit 113 Financial institution authentication unit 114 Financial institution public key certificate issuance information transmission unit 115 Root certification key storage unit 116 Financial institution public key certificate issuance information storage unit 201 Currency issuance certificate issuance acceptance unit 202 Financial institution key generation unit 203 Financial institution authentication request unit 204 Currency issuance acceptance unit 205 Withdrawal acceptance unit 206 Update processing unit 207 Currency exchange/deposit acceptance unit 208 Payment request unit 209 Payment acceptance unit 210 Credit acceptance unit 211 Refund request unit 212 Currency issuance certificate storage unit 213 Financial institution key storage unit 214 Financial institution public key certificate storage unit 215 Unused currency storage unit 216 Currency in use storage unit 217 Updated currency storage unit 218 Used currency storage unit 251 Intermediate authentication key generation unit 252 Intermediate certificate issuance unit 253 User authentication unit 254 Intermediate authentication key storage unit 255 User public key certificate issuance information storage unit 301 Currency issuance certificate issuance acceptance unit 302 Intermediate certificate issuance acceptance unit 303 User key generation unit 304 User authentication request unit 305 Withdrawal request unit 306 Payment request unit 307 Payment acceptance unit 308 Exchange/deposit request unit 309 Credit request unit 310 Currency issuance certificate storage unit 311 Intermediate certificate storage unit 312 User key storage unit 313 User public key certificate storage unit 314 User currency storage unit 320 Key generation unit 330 Secure processing unit 340 Currency circulation section 1000 Drive device 1001 Recording medium 1002 Auxiliary storage device 1003 Memory device 1004 CPU
1005 Interface device 1006 Display device 1007 Input device 1008 Output device

Claims (7)

 公開鍵と署名との組を有するデータが複数個連結された情報を情報処理装置間で送受信する情報システムにおける情報処理装置であって、
 公開鍵と秘密鍵の組を生成してから、ある期間が経過した後に、又は、生成した公開鍵又は秘密鍵がある回数だけ使用された後に、新たに公開鍵と秘密鍵の組を生成し、新たに生成した前記公開鍵の証明書を取得するように構成されている鍵生成部と、
 新たに生成した前記公開鍵を含む情報を送信又は受信するように構成されている情報流通部と
 を備える情報処理装置。 An information processing device in an information system in which information in which a plurality of pieces of data each having a pair of a public key and a signature are linked is transmitted and received between information processing devices,
a key generation unit configured to generate a new pair of public key and private key and obtain a certificate for the newly generated public key after a certain period of time has elapsed since the generation of the pair of public key and private key, or after the generated public key or private key has been used a certain number of times;
and an information distribution unit configured to transmit or receive information including the newly generated public key.  前記情報処理装置の保有者は店舗であり、前記鍵生成部により生成される公開鍵は、前記店舗の仮名を示す公開鍵である
 請求項1に記載の情報処理装置。 The information processing device according to claim 1 , wherein an owner of the information processing device is a store, and the public key generated by the key generating unit is a public key indicating a pseudonym of the store.  前記鍵生成部は、セキュア処理部内に備えられる
 請求項1に記載の情報処理装置。 The information processing device according to claim 1 , wherein the key generation unit is provided within a secure processing unit.  前記鍵生成部は、秘密鍵を用いたワンタイム署名が行われた後に、新たに公開鍵と秘密鍵の組を生成する
 請求項1に記載の情報処理装置。 The information processing device according to claim 1 , wherein the key generation unit generates a new pair of a public key and a private key after a one-time signature is generated using a private key.  請求項1ないし4のうちいずれか1項に記載の情報処理装置と、前記証明書の生成を行うサーバとを含む情報システム。 An information system including an information processing device according to any one of claims 1 to 4 and a server that generates the certificate.  公開鍵と署名との組を有するデータが複数個連結された情報を情報処理装置間で送受信する情報システムにおける情報処理装置が実行する情報処理方法であって、
 公開鍵と秘密鍵の組を生成してから、ある期間が経過した後に、又は、生成した公開鍵又は秘密鍵がある回数だけ使用された後に、新たに公開鍵と秘密鍵の組を生成し、新たに生成した前記公開鍵の証明書を取得する鍵生成ステップと、
 新たに生成した前記公開鍵を含む情報を送信又は受信する情報流通ステップと
 を備える情報処理方法。 1. An information processing method executed by an information processing device in an information system in which information is transmitted and received between information processing devices, the information being a concatenation of a plurality of data pieces each having a pair of a public key and a signature, comprising:
a key generation step of generating a new public key and private key pair and obtaining a certificate for the newly generated public key after a certain period of time has elapsed since the generation of the public key and private key pair, or after the generated public key or private key has been used a certain number of times;
an information distribution step of transmitting or receiving information including the newly generated public key.  コンピュータを、請求項1ないし4のうちいずれか1項における情報処理装置の各部として機能させるためのプログラム。 A program for causing a computer to function as each part of an information processing device according to any one of claims 1 to 4.
PCT/JP2023/039294 2023-10-31 2023-10-31 Information processing device, information system, information processing method, and program Pending WO2025094278A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/039294 WO2025094278A1 (en) 2023-10-31 2023-10-31 Information processing device, information system, information processing method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/039294 WO2025094278A1 (en) 2023-10-31 2023-10-31 Information processing device, information system, information processing method, and program

Publications (1)

Publication Number Publication Date
WO2025094278A1 true WO2025094278A1 (en) 2025-05-08

Family

ID=95582525

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/039294 Pending WO2025094278A1 (en) 2023-10-31 2023-10-31 Information processing device, information system, information processing method, and program

Country Status (1)

Country Link
WO (1) WO2025094278A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06162059A (en) * 1991-11-15 1994-06-10 Citibank Na Electronic currency system
WO2002049311A2 (en) * 2000-11-14 2002-06-20 Tritrust.Com, Inc. Pseudonym credentialing system
JP2006139693A (en) * 2004-11-15 2006-06-01 Hitachi Ltd Anonymous certificate issuing system and method
US20080243703A1 (en) * 2007-03-28 2008-10-02 Ahmed Ibrahim Al-Herz Virtual account based new digital cash protocols with combined blind digital signature and pseudonym authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06162059A (en) * 1991-11-15 1994-06-10 Citibank Na Electronic currency system
WO2002049311A2 (en) * 2000-11-14 2002-06-20 Tritrust.Com, Inc. Pseudonym credentialing system
JP2006139693A (en) * 2004-11-15 2006-06-01 Hitachi Ltd Anonymous certificate issuing system and method
US20080243703A1 (en) * 2007-03-28 2008-10-02 Ahmed Ibrahim Al-Herz Virtual account based new digital cash protocols with combined blind digital signature and pseudonym authentication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OKUDA, TETSUYA ET AL.: "Formal verification of double spend identification and privacy for transferable electronic cash system", IPSJ SIG TECHNICAL REPORT, INFORMATION PROCESSING SOCIETY OF JAPAN, JP, vol. 2023-DPS-194, no. 66, 27 February 2023 (2023-02-27), JP, pages 1 - 8, XP009563299, ISSN: 2188-8590 *

Similar Documents

Publication Publication Date Title
US11861606B2 (en) Blockchain system for confidential and anonymous smart contracts
JP7451797B2 (en) Computer-implemented systems and methods suitable for increasing the security of instant offline blockchain transactions
CN109155036B (en) Systems and methods for controlling asset-related actions via blockchain
US6157920A (en) Executable digital cash for electronic commerce
Brands Electronic cash on the Internet
JP2020071617A (en) Transaction method, program, verifying apparatus and creating method
HK1248364A1 (en) Verifying electronic transactions
WO2021144888A1 (en) Settlement processing device, settlement processing program, and settlement processing system
CN114936852B (en) A privacy token transaction method based on zero-knowledge proof in consortium chain account model
Li et al. Secure electronic ticketing system based on consortium blockchain
CN113486407A (en) Deposit receipt management system and method based on block chain
KR102332503B1 (en) Apparatus and method for creating a virtual currency account using a telephone number
CN113516461A (en) Quantum currency transaction method based on distributed account book
CN108090751A (en) Electronic cash system
JP6840319B1 (en) Transaction information processing system
JP7556464B2 (en) Electronic currency system, information processing device, electronic currency issuing method and program
JP3388566B2 (en) Electronic check method and apparatus with license
Luvison et al. A low-cost privacy-preserving digital wallet for humanitarian aid distribution
WO2025094278A1 (en) Information processing device, information system, information processing method, and program
WO2025094279A1 (en) Currency processing device, currency processing method, and program
WO2025220136A1 (en) Electronic currency system, currency processing device, currency processing method, and program
CN113486408B (en) Deposit receipt management system and method based on block chain
Das et al. A Study of New Micropayment Scheme for Blockchain
WO2024176410A1 (en) Currency use device, electronic currency system, currency use method, and program
Amirian Probabilistic Micropayments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23957606

Country of ref document: EP

Kind code of ref document: A1