JP2008178005A - Data verification system, its method, identifier creator, data verifier, program thereof and record medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To form an algorithm adding a tendency in calculation, thereby reducing an overall calculation amount by a verification method using a conventional hash function and the like to accelerate speed in verification. <P>SOLUTION: Original data X of the verification are set to d-pieces of division information X<SB>i</SB>, and d-pieces of identifier Y<SB>i</SB>corresponding to X<SB>i</SB>are created by a formula 1 (each g and N denotes a natural number of 2 or more). Data X' which are a verification target are set to d-pieces of division information X<SB>i</SB>' in an identical method to X<SB>i</SB>, and Y' is calculated by a formula 2 (e<SB>i</SB>denote is an integer). By a formula 3, x is calculated. C=g<SP>x</SP>mod N is calculated, and if C=Y'mod N, it is determined that a matching property is contained. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for verifying data consistency, and more specifically, a data verification system, a method, an identifier generation apparatus, and data verification for verifying whether two pieces of data separated temporally or physically are the same. The present invention relates to apparatuses, their programs, and recording media for storing the programs.

  Information stored in a physical medium may change due to various troubles over time. Well-known techniques for detecting this change include parity for detecting bit errors and CRC for detecting burst errors. These methods are simple to calculate and are applied as a method for detecting an abnormality of a disk and are used in a hard disk such as RAID or a flexible disk.

  In addition, information may change due to some trouble in a path in which physical media communicate with each other and are transferred. For this reason, when downloading huge data X, an identifier Y consisting of a short bit length, such as a hash value of MD5 or SHA-1, is downloaded at the same time as the data X, and data X ′ whose integrity is suspected (passed through downloading) An identifier may be calculated for the data X) and compared with the identifier Y of the data X to confirm whether or not the download was successful.

Of course, the same change can be detected using the previous error detection code, but in the case of communication via a network used by an unspecified majority such as the Internet, the communication content is rewritten to a malicious entity. In view of this, cryptographically secure hash functions are often used even for artificial operations.
Bruce Schneier, translated by Hiroo Yamagata, “Encyclopedia of Cryptographic Technology”, p475-509, Softbank Publishing, 2003

  An identifier that considers security by a hash function or the like has a relatively large amount of calculation compared to the surrounding situation in which the identifier is calculated, and it takes time to calculate the identifier. This is particularly noticeable when the data X to be verified is huge. In recent years, the speed of hash function calculation processing has been increased, but the line speed has dramatically increased with the spread of communication lines using ADSL and optical fibers. Therefore, when the data X is transmitted through such a high-speed network, it is difficult to verify communication integrity in real time using a hash function or the like.

The data verification system of the present invention includes a first data storage unit, a first data division unit, an identifier calculation unit, an identifier storage unit, a second data storage unit, a second data division unit, a Y ′ calculation unit, an x calculation unit, C A calculation unit and a consistency determination unit are provided.
The first data storage unit stores predetermined information X.
The first data division unit receives the information X and divides it into d pieces (d is a natural number of 2 or more) according to a predetermined procedure to generate division information X _i (2 ≦ i ≦ d). Output.
The identifier calculation unit receives the division information X _i and determines the identifier Y _i

（Ｎ、ｇは共に２以上の自然数）により計算し出力する。
識別子記憶部は、上記計算した識別子Ｙ_ｉを記憶する。

(N and g are both natural numbers of 2 or more).
The identifier storage unit stores the calculated identifier Y _i .

（ｅ_ｉは整数）により計算し出力する。
ｘ計算部は、上記分割情報Ｘ_ｉ´が入力され、ｘを The second data storage unit stores information X ′ to be compared with the information X.
The second data dividing unit receives the information X ′, divides it into d pieces according to the predetermined procedure, and generates and outputs divided information X _i ′.
The Y ′ calculation unit receives the identifier Y _{i and determines} Y ′

(E _i is an integer) is calculated and output.
The x calculation unit receives the division information X _i ′ and calculates x

により計算し、出力する。
Ｃ計算部は、上記ｘが入力され、Ｃを
Ｃ＝ｇ^ｘ mod Ｎ (4)
により計算し出力する。
整合性判定部は、上記Ｙ´と上記Ｃとが入力され、Ｃ＝Ｙ´mod Ｎであれば整合性有り、そうでなければ整合性無しとの判定結果を出力する。

Calculate and output by
The C calculator receives the above x and converts C into C = g ^x mod N (4)
Calculate and output by
The consistency determination unit inputs the Y ′ and the C, and outputs a determination result that there is consistency if C = Y′mod N, and that there is no consistency otherwise.

  The data verification system of the present invention uses different algorithms for identifier generation and consistency verification, so that the number of calculations is less than the one calculation amount for generating identifiers, and the number of calculations is greater during consistency verification. The amount of calculation per calculation is reduced. By using an algorithm that takes into account the tendency of calculation in this way, the total amount of calculation can be reduced as compared with a conventional verification method using a hash function or the like, and thus verification can be speeded up.

[First Embodiment]
1 and 2 are functional configuration examples of the identifier generation device 10 and the data verification device 20 that constitute the data verification system of the first embodiment. FIG. 3 is a processing flow of the first embodiment.
The identifier generation device 10 includes a first data storage unit 11, a first data division unit 12, an identifier calculation unit 13, a transmission unit 18, and a control unit 19.
The first data storage unit 11 stores data X to be verified (S1).
When the data X stored in the first data storage unit 11 is input, the first data dividing unit 12 divides the data X into d pieces (d is a natural number of 2 or more), and d pieces of division information X _i. (2 ≦ i ≦ d) is output (S2).
The value of d may be determined as appropriate. For example, d may be determined as a constant, or may be determined according to the length of X so that each X _i has the same length.
A method of dividing the data X into d pieces may be determined as appropriate. For example, the entire data X may be simply divided into d pieces, or may be assigned to X _i for each word from the top.

Identifier calculation unit 13, the d-number of X _i divided by the first data division unit 12 is input, the d-number identifier Y _i corresponding to X _i and outputs the calculated by the equation (1) ( S3). N and g are both natural numbers of 2 or more.
In the above calculation, X _i is made to correspond to a natural number of 0 or more by an appropriate method. For example, the bit string X _i is interpreted as a long binary number and is made to correspond.
The transmission unit 18 transmits the data X together with the d identifiers Y _i to the data verification device 20 via the network (S4). The network may be a WAN or a LAN as long as it causes a distance between devices.

The control unit 19 controls each process of the identifier generation device 10.
The data verification device 20 includes an identifier storage unit 21, a second data storage unit 22, a Y ′ calculation unit 23, a second data division unit 24, an x calculation unit 25, a C calculation unit 26, a consistency determination unit 27, and a reception unit 28. And a control unit 29.
The receiving unit 28 receives the data X ′ and the d identifiers Y _i transmitted via the network (S5). Here, the data X ′ is data for which consistency determination with the original data X is performed based on the identifier Y _i . It is assumed that the identifier Y _i is always generated from the data X and is received without being changed or altered on the transmission path.

The identifier storage unit 21 stores the d identifiers Y _i received by the receiving unit 28 (S6).
The second data storage unit 22 stores the data X ′ received by the receiving unit 28 (S6).
When the d identifiers Y _i stored in the identifier storage unit 21 are input, the Y ′ calculator 23 calculates Y ′ according to the equation (2) and outputs it (S7). Note that e _i is an integer.
When the data X ′ stored in the second data storage unit 22 is input, the second data dividing unit 24 divides this into d pieces (d is a natural number of 2 or more), and d pieces of division information X _i ′ (2 ≦ i ≦ d) is output (S8). The method of determining the value of d and the method of dividing the data X ′ into d pieces are based on a predetermined procedure common to the first data dividing unit 12.
When the x pieces of X _i ′ divided by the second data dividing unit 24 are input, the x calculating unit 25 calculates x according to the equation (3) and outputs it (S9).

When the x calculated by the x calculating unit 25 is input, the C calculating unit 26 calculates and outputs C according to the equation (4) (S10).
When the consistency determination unit 27 receives the Y ′ calculated based on the identifier Y _i generated from the data X and the C calculated based on the data X ′, the consistency determination unit 27 compares the two, If Y = mod N, the determination result that the data X and the data X ′ are consistent is output, and if not, the determination result that there is no consistency is output (S11).
The control unit 29 controls each process of the data verification device 20.
As described above, in the present invention, unlike the case where the identifier generation unit and the verification unit perform the same calculation as in the consistency verification by the hash function, the identifier generation unit 10 performs the calculation of Expression (1), and the data verification unit The operation 20 is performed by different algorithms such as the operations of equations (2) to (4).

Generally, when comparing the “number of times of writing” and the “number of times of reading” of information, it is considered that the “number of times of reading” is larger. Therefore, when verifying the integrity of information, the number of verifications for checking whether or not there is a difference from the criterion compared to the number of times that an identifier is generated from information serving as a criterion for integrity (= “number of times of writing”) (= “Number of times of reading”) inevitably increases. In particular, video content, which is a representative of large-capacity files, is assumed to be a situation where many people read information once created many times.
Therefore, it is noted that there are situations where it is desirable that the calculation cost is “generation of identifier”> “data integrity verification by identifier”. In the present invention, different algorithms are used for generation of identifier and data integrity verification by identifier. Adopted.

Specifically, the amount of calculation of the identifier in equation (1) is basically proportional to the size of X, and therefore, when X is large, it takes a certain amount of time to generate the identifier. However, at the time of verification, the calculation of Equation (2) can be performed in parallel with the download of X, and the calculation of Equation (3) is merely a sum of products, so the load is small. The calculation cost at the time of verification is relatively light so that the calculation of) is completed once.
Such an algorithm configuration is particularly effective when there is no problem even if the generation of identifiers is somewhat late, although real-time properties are required for verification of data consistency as in video content.

[Second Embodiment]
The first embodiment is a configuration in the case where information changes due to some trouble in a path through which information is transferred through communication between physical media, that is, matching between physically separated data X and data X ′. It is the structure which verifies property. On the other hand, the second embodiment has a configuration in which information stored in the same physical medium changes due to some trouble as time passes, that is, data X and data X separated in time. This is a configuration for verifying consistency with ′. Therefore, in the second embodiment, unlike the first embodiment, the identifier generation device and the data verification device are integrally configured.

FIG. 4 is a functional configuration example of the integrated apparatus 30 constituting the data verification system of the second embodiment.
The integrated apparatus 30 includes a data storage unit 31, a data division unit 32, an identifier calculation unit 13, an identifier storage unit 21, a Y ′ calculation unit 23, an x calculation unit 25, a C calculation unit 26, a consistency determination unit 27, and a control unit. 39.
The identifier calculation unit 13, the identifier storage unit 21, the Y ′ calculation unit 23, the x calculation unit 25, the C calculation unit 26, and the consistency determination unit 27 are the same as the parts having the same names in FIGS. 1 and 2 of the first embodiment. is there. Therefore, in FIG. 4, the parts corresponding to those in FIGS. 1 and 2 are denoted by the same reference numerals, and the description thereof is omitted. The same applies to other drawings.

The data storage unit 31 has the functions of the first data storage unit 11 and the second data storage unit 22 of the first embodiment, and the data dividing unit 32 is the same as the first data dividing unit 12 of the first embodiment. This also has the function of the second data dividing unit 24.
The control unit 39 controls each process performed in the integrated device 30.
A processing flow of the second embodiment is shown in FIG.
First, an identifier used for verification is generated.

Data X that is a source of verification is stored in the data storage unit 31 (S1). The data dividing unit 32 divides the data X stored in the data storage unit 31 into d pieces to generate and output d pieces of division information X _i . The method of determining the value of d and the method of dividing the data X ′ into d pieces are based on the same idea as the first data dividing unit 12 (S2). The d pieces of X _i divided by the data division unit 32 are input to the identifier calculation unit 13, and d identifiers Y _i corresponding to X _i are calculated and output according to the equation (1) (S 3) Store in the unit 21 (S4).
Then, the next verification process is performed when necessary.

The Y ′ calculation unit 23 calculates Y ′ by the equation (2) using the d identifiers Y _i stored in the identifier storage unit 21 (S5). The data dividing unit 32 divides d data X ′ (data after the elapse of time of the data X at the time of identifier generation) stored in the data storage unit 31 into d pieces by the same method as applied in S2. The division information X _i ′ is created and output (S6). When the x pieces of X _i ′ divided by the second data dividing unit 24 are input to the x calculating unit 25, the x calculating unit 25 calculates and outputs x according to the expression (3) (S7). When the x calculated by the x calculating unit 25 is input, the C calculating unit 26 calculates and outputs C according to the equation (4) (S8). When the Y ′ calculated based on the identifier Y _i generated from the data X and the C calculated based on the data X ′ are input, the consistency determination unit 27 compares the two, and C = If Y′mod N, the determination result that the data X and the data X ′ are consistent is output, and if not, the determination result that there is no consistency is output (S9).
With the above configuration, even if the information stored in the same physical medium changes over time due to some trouble, data consistency can be quickly verified as in the first embodiment. .

[Third Embodiment]
In the third embodiment, the external storage device is used in the integrated configuration of the second embodiment. Specifically, after the identifier is generated, the data X is temporarily moved / saved to the external storage device via the network. This is a configuration for verifying the consistency between the data X ′ and the data X ′ when the data X ′ stored in the device is downloaded to the integrated device again.

FIG. 6 is a functional configuration example of the integrated device 40 and the external storage device 200 constituting the data verification system of the third embodiment.
The integrated apparatus 40 includes a first data storage unit 41, a data division unit 32, an identifier calculation unit 13, an identifier storage unit 21, a Y ′ calculation unit 23, an x calculation unit 25, a C calculation unit 26, a consistency determination unit 27, A transmission / reception unit 48 and a control unit 49 are included.
The data division unit 32, the identifier calculation unit 13, the identifier storage unit 21, the Y ′ calculation unit 23, the x calculation unit 25, the C calculation unit 26, and the consistency determination unit 27 are the same as those in the second embodiment.
The first data storage unit 41 is obtained by adding an interface function with the transmission / reception unit 48 to the data storage unit 31 of the second embodiment.
The transmission / reception unit 48 has a communication function between the integrated device 40 and the external storage device 200.
The control unit 49 controls each process performed in the integrated apparatus 40.
The external storage device 200 includes a second data storage unit 222 and a transmission / reception unit 48.
The second data storage unit 222 stores the data X ′ received by the transmission / reception unit 48.
A processing flow of the third embodiment is shown in FIG.
First, an identifier used for verification in the integrated device 40 is generated.

Data X that is a source of verification is stored in the first data storage unit 41 (S1). The data dividing unit 32 divides the data X stored in the first data storage unit 41 into d pieces to generate and output d pieces of division information X _i . The method of determining the value of d and the method of dividing the data X ′ into d pieces are based on the same idea as the first data dividing unit 12 (S2). Identifier calculation unit 13, the d-number of X _i divided by the data dividing unit 32 is input, the d-number identifier Y _i corresponding to X _i and output calculated by Equation (1) (S3) The identifier storage unit 21 stores this (S4).

Next, the data X is moved / saved in the external storage device 200.
The transmission / reception unit 48 transmits the data X stored in the first data storage unit 41 to the external storage device 200. After the transmission, the control unit 49 deletes the data X in the first data storage unit 41 (S5). The transmission / reception unit 48 of the external storage device 200 receives the data X ′ transmitted via the network, and stores the data X ′ in the second data storage unit 222 (S6).
Then, the data X ′ is downloaded to the integrated device 40 and the consistency is verified.

The data X ′ stored in the second data storage unit 222 is transmitted from the transmission / reception unit 48 of the external storage device 200 to the integrated device 40 via the network (S7). The data X ′ transmitted via the network is received by the transmission / reception unit 48 of the integrated apparatus 40 and stored in the first data storage unit 41 (S8). The Y ′ calculation unit 23 calculates Y ′ by the equation (2) using the d identifiers Y _i stored in the identifier storage unit 21 (S9). The data dividing unit 32 divides the data X ′ stored in the first data storage unit 41 into d by the same method as that applied in S2, and generates and outputs d pieces of division information X _i ′ (S10). ). When the x pieces of X _i ′ divided by the second data dividing unit 24 are input to the x calculating unit 25, the x calculating unit 25 calculates x according to the expression (3) and outputs it (S11). When the x calculated by the x calculating unit 25 is input, the C calculating unit 26 calculates and outputs C according to the equation (4) (S12). When the consistency determination unit 27 receives the Y ′ calculated based on the identifier Y _i generated from the data X and the C calculated based on the data X ′, the consistency determination unit 27 compares the two, If C = Y′mod N, the determination result that the data X and the data X ′ are consistent is output, and if not, the determination result that there is no consistency is output (S13).

  With the above configuration, even when an external storage device is used, the consistency between the data X and the data X ′ can be quickly verified.

[Fourth Embodiment]
In the fourth embodiment, the value of N used for calculating an identifier or the like is a positive composite number that is difficult to be prime factorized, and the security against attacks by the Service-to-Self is improved.
N used in the calculation of equation (1) is a natural number of 2 or more. However, when N is a prime number or a number that can be easily factored, the order of Y _i can be known, and as a result, the data X As a result, a plurality of X _i for satisfying the expression (1) can be calculated for Y _i generated based on the above, and thus there remains anxiety about safety against attacks by Service-to-Self.
Therefore, in the fourth embodiment, the safety can be improved by making N a positive composite number that is difficult to prime factorization and reducing the collision difficulty to the difficulty of prime factorization.

[Fifth Embodiment]
The fifth embodiment is configured to speed up the calculation of identifiers on the assumption that the identifier generator knows p and q of N = p · q (both p and q are prime numbers).
FIG. 8 is a functional configuration example of the identifier generation device 50 constituting the data verification system of the fifth embodiment. Note that the configuration of the data verification apparatus that is opposed via the network may be the same as that of the first embodiment. FIG. 9 is a processing flow of the fifth embodiment.
The identifier generation device 50 includes a first data storage unit 11, a first data division unit 12, an ξ calculation unit 51, an identifier calculation unit 53, a transmission unit 18, and a control unit 59.

The first data storage unit 11, the first data division unit 12, and the transmission unit 18 are the same as those in the first embodiment. That is, the fifth embodiment has a configuration in which the identifier calculation unit 13 of the first embodiment is replaced with a ξ calculation unit 51 and an identifier calculation unit 53.
In the configurations of the second embodiment and the third embodiment, the effect of speeding up can be obtained similarly by replacing the identifier calculation unit 13 with the ξ calculation unit 51 and the identifier calculation unit 53.
xi] calculating section 51, d pieces of X _i divided by the first data division unit 12 is input, d items xi] _i corresponding to X _i and outputs the calculated by the following equation. Note that p and q are both prime numbers.
ξ _i = X _i mod (p−1) · (q−1) (5)
Identifier calculation unit 53, xi] _i of d pieces calculated by the xi] calculation unit 51 is inputted, the d-number identifier Y _i corresponding to xi] _i and outputs the calculated by the following equation. Note that N = p · q.

制御部５９は、識別子生成装置５０で行われる各処理を制御する。
式(1)による識別子の計算は、元となるデータＸをｄ個に分割して行っているものの、特にデータＸが大きな値の場合には全体の処理速度への影響が大きい。
式(1)のような剰余計算の解（式(1)においてはＹ_ｉ）はＮを法とする場合、べき乗数Ｘ_ｉに関し、Ｙ_ｉの位数の周期（ｐ、ｑが素数でＮ＝ｐ・ｑの場合、（ｐ−１）・（ｑ−１））で繰り返し同じ値をとる。このような特性から、式(1)のようにＸ_ｉで直接べき乗するのではなく、先に式(5)のようにＸ_ｉに対し位数により剰余計算を行い、Ｘ_ｉを位数の範囲内に縮小化した計算結果ξ_ｉをＸ_ｉの代わりに利用して式(6)の剰余計算を行っても同じ解が得られる。

The control unit 59 controls each process performed by the identifier generation device 50.
Although the calculation of the identifier by the equation (1) is performed by dividing the original data X into d pieces, the influence on the overall processing speed is great particularly when the data X is a large value.
If (in the formula (1) Y _i) solutions of remainder calculation of Equation (1) is modulo N, it relates exponent X _i, order of the period (p of Y _i, q is a prime number N When = p · q, (p-1) · (q-1)) repeatedly takes the same value. From such characteristics, rather than power directly X _i as in Equation (1), the remainder calculated by the position number to X _i as previously Equation (5), the X _i order of the The same solution can be obtained even if the remainder calculation of Equation (6) is performed using the calculation result ξ _i reduced within the range instead of X _i .

In the fifth embodiment, by adopting such a calculation method, the value is further reduced within the order range rather than the value obtained by simply dividing the data X into d powers as it is. Therefore, it is possible to speed up the calculation of the identifier.
In the fifth embodiment, the case of N = p · q is taken up. However, even when N is a prime number, the equation (5) is changed to ξ _i = X _i mod (N−1) in the same way, so that high speed is achieved. The effect of making can be obtained.

[Sixth Embodiment]
In the case of the fifth embodiment, in the case of the fifth embodiment, the value of N used for calculation of identifiers and the like is a positive composite number that is difficult to factorize, as in the fourth embodiment.
By taking this form, it is possible to enjoy both higher security obtained in the fourth embodiment and higher processing speed obtained in the fifth embodiment.

[Seventh Embodiment]
In the seventh embodiment, the value of g used for calculation of an identifier or the like is a natural number of 2 or more that is relatively prime to N, and as in the fourth embodiment, security against attacks by Service-to-Self is improved.
If g used in the calculation of equation (1) is a number that is not mutually prime with N, N can be factored if the common divisor of g and N is found. There is a danger.
For this reason, in the seventh embodiment, by making g a relatively prime number with N, the risk of attack can be avoided and the safety can be further improved.

[Eighth Embodiment]
In the eighth embodiment, the value of e _i used in the calculation of Y ′ and the calculation of x is set to a random value, thereby improving the security against the Service-to-Self attack.
FIG. 10 is a functional configuration example of the data verification apparatus 80 configuring the data verification system of the eighth embodiment. Note that the configuration of the identifier generation device that is opposed via the network may be the same as that of the first embodiment. FIG. 11 is a processing flow of the eighth embodiment.
Data verification unit 80, the identifier storage unit 21, the second data storage unit 22, _{e i} generation unit 81, Y'calculation unit 83, second data divider 24, x calculator 85, C calculator 26, the consistency determination Unit 27, receiving unit 28, and control unit 89.

In other words, the eighth embodiment is the Y'calculating unit 83 the Y'calculating unit 23 of the first embodiment, is replaced with an x calculator 25 in x calculator 85, a configuration obtained by adding the _{e i} generator 81.
Note that the second embodiment, in the configuration of the third embodiment, the Y'calculation unit 23 in the Y'calculation unit 83, is replaced with an x calculator 25 in x calculator 85, the addition of _{e i} generator 81 Thus, safety can be improved in the same manner.
e _i generation unit 81 generates the integer randomly output.

Y'calculation unit 83, and e _i output from d-number identifier Y _i and e _i generator 81 stored in the identifier storage unit 21 is input, and calculates and outputs Y'by Equation (2) To do.
x calculation unit 85, and e _i output from d pieces of X _{i 'and} e _i generator 81 that is divided by the second data division unit 24 is input calculates the x output by Equation (3) To do.
In the equations (2) and (3), e _i is multiplied and raised for the following reasons, respectively.
Considering the case where _ei does not exist in the equations (2) and (3), Y ′ = g ^X mod N is obtained when the equation (2) is modified, and C = g ^{X ′} mod N is obtained when the equation (4) is modified. Become. In both formulas, g and N are common, and C = Y′mod N is established from the property of the power-residue calculation that the data X and the data X ′ are consistent (the value of the power part is the same). ) Therefore, there is an undeniable danger that the Service-to-Self attacks using X ′ in which C = Y′mod N is satisfied but X = X ′ is not satisfied. In addition, even when calculation is performed by dividing X and X ′ by d X _i and X _i ′, it is X and X ′ that are sums that affect the consistency determination between Y ′ and C. Therefore, even if some of the d X _i ′ are switched, it cannot be detected.

この場合においてもＣ＝Ｙ´mod Ｎが成立するのは、必ずしも両式のべき乗部分の値が等しい場合に限らない。しかし、べき乗部分が単なる分割データＸ_ｉ、Ｘ_ｉ´の総和ではなく分割データＸ_ｉ、Ｘ_ｉ´ごとにｅ_ｉが積算されているため、たとえべき乗部分の値がわかってもｅ_ｉがわからない限り、Ｃ＝Ｙ´mod Ｎを成立させるデータＸ´を見つけ出すのは難しい。また、ｄ個のＸ_ｉ´のうち順序が入れ替わっているものがあるような場合でも検出しやすい。
そこで、本発明においては全実施形態でＹ´及びｘの計算式にｅ_ｉをべき乗又は乗算することにより攻撃に対する安全性の向上を図っている（第１〜第７実施形態においては、ｅ_ｉは整数）。 On the other hand, when there is e _i and equation (2) into equation (3), by modifying the equation (2) Equation (4), respectively expressed as follows.

Even in this case, C = Y′mod N is not always satisfied when the values of the powers of both equations are equal. However, mere divided data X _i is a power _{section, for 'dividing} data X _i rather than the sum _of, X _i' X i is e _i for each is accumulated, do not know the e _i even if found value of power section As long as it is difficult to find the data X ′ that establishes C = Y′mod N. In addition, it is easy to detect even in the case where there is a change in the order among the d pieces of X _i ′.
Therefore, in the present invention, in all of the embodiments, the safety against attack is improved by exponentiating or multiplying the calculation formulas of Y ′ and x by e _i (in the first to seventh embodiments, e _i is improved _). Is an integer).

In the eighth embodiment, by making this e _i a random value, it becomes difficult for the Service-to-Self to know e _i , thereby improving safety.
In order to further improve safety, it is desirable to recalculate e _i each time verification is performed.

[Ninth Embodiment]
In the ninth embodiment, random e _i in the eighth embodiment is generated by a power-residue calculation.
Functional configuration of the data verification system of the ninth embodiment, except for the internal configuration of the e _i generator 81 is similar to the data verification device 80 of the eighth embodiment. FIG. 12A is an internal configuration example of the _ei generation unit 81 of the ninth embodiment. e _i generation unit 81 includes a random number generation portion 81a and the modular exponentiation calculation unit 81b.
The random number generator 81a generates and outputs one or more random natural numbers e. As the random e, for example, a pseudo random number can be used. As a pseudo random number generation method, a pseudo random number generation algorithm based on a computational complexity theory configured using a one-way hash function such as SHA-1 can be used.

Modular exponentiation calculation unit 81b is the random natural number outputted from the random number generating unit 81a e are inputted to the e _i is calculated by the following equation output. Note that s is a natural number of 2 or more.
e _i = e ^i-1 mod s (9)
This way modular exponentiation calculation can generate random e _i. In addition, when e _i is generated by a pseudo-random number, the above-mentioned e generated by a pseudo-random number is applied to the equation (9), so that d pseudo-random numbers can be generated without operating the pseudo-random number generation algorithm when calculating e _i. it is possible to generate a random number e _i. Therefore, it is possible to reduce the amount of calculation compared to calculating all e _i using a pseudo-random number generation algorithm.
In equation (9), the larger s is, the more difficult it is for a malicious attacker to find e _i . For example, when it is desired to secure security of about 80 bits, it is desirable to set s to a number of about 80 bits or more.

[Tenth embodiment]
Embodiment 10, a random e _i in the eighth embodiment, in which the inverse image computation is generated using a hard function.
Functional configuration of the data verification system of the tenth embodiment, except for the internal configuration of the e _i generator 81 is similar to the data verification device 80 of the eighth embodiment. FIG. 12B is an internal configuration example of the _ei generation unit 81 of the tenth embodiment. e _i generation unit 81, and a random number generation unit 81a and the H function calculating unit 81c.

The H function calculation unit 81c receives the random natural number e output from the random number generation unit 81a, and calculates and outputs e _{i according} to the following equation. H is a function that is difficult to perform inverse image calculation. Examples of functions that are difficult to perform inverse image calculation include a one-way hash function. (E, i) means bit connection between e and i.
e _i = H (e, i) (10)
Random e _i can be generated by such a function calculation. If e _i is to be generated by a pseudo-random number, the above-mentioned e generated by a pseudo-random number is applied to Equation (10), so that d pseudo-random numbers can be generated without operating the pseudo-random number generation algorithm when calculating e _i. it is possible to generate a random number e _i. Therefore, it is possible to reduce the amount of calculation compared to calculating all e _i using a pseudo-random number generation algorithm.
In this embodiment, since it is difficult to find e from e _i by inverse image operation, even if some e _i leaks, the attacker cannot find e, so the rest it is not possible to find a e _i. Therefore, it is possible to improve the safety against Service-to-Self attacks.

[Eleventh embodiment]
Eleventh embodiment, a random e _i in the eighth embodiment, in which each of the output values for different input values generated using a hard function collisions.
Function configuration of the data verification system of the eleventh embodiment, except for the internal configuration of the e _i generator 81 is similar to the data verification device 80 of the eighth embodiment. FIG. 12B is an internal configuration example of the _ei generation unit 81 of the tenth embodiment. e _i generation unit 81, and a random number generation unit 81a and the S function calculating unit 81d.
S function calculating unit 81d is the random natural number outputted from the random number generating unit 81a e are inputted to the e _i is calculated by the following equation output. Note that S is a function in which output values for different input values are difficult to collide, for example, a function having a property that output values are different when two input values are given. Examples of functions that are difficult to collide include a hash function. (E, i) means bit connection between e and i.

e _i = S (e, i) (11)
Random e _i can be generated by such a function calculation. If e _i is to be generated by a pseudo-random number, the above-mentioned e generated by a pseudo-random number is applied to Equation (11), so that d pseudo-random numbers can be generated without operating the pseudo-random number generation algorithm when calculating e _i. it is possible to generate a random number e _i. Therefore, it is possible to reduce the amount of calculation compared to calculating all e _i using a pseudo-random number generation algorithm.
In the above formula (7) and (8), for example, if when the same value is more e _i of d pieces of e _i, between X _i and X _{i 'corresponding} to the portion of the same value Even if the order is changed, it cannot be detected. Therefore, by generating e _i with a function that is difficult to collide and making e _i different from each other, it is possible to detect the case where the order is switched between X _i and X _i ′, and the determination accuracy is improved. Can be improved.

[Twelfth embodiment]
Twelfth embodiment is configured to integer and constant e _i, can be applied in each of the first to seventh embodiment.
By the e _i a constant, but is less secure than the randomly lowered, it is effective when it is desired to lighter or when processing to be simplified apparatus.
The data verification system, the method, the identifier generation device, and the data verification device according to the present invention are not limited to the above-described embodiments, and can be appropriately changed without departing from the present invention. In addition, the processes described above are not only executed in time series according to the order of description, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

When the processing functions in the data verification system, the identifier generation device, and the data verification device are realized by a computer, the processing contents of the functions that the data verification system, the identifier generation device, and the data verification device should have are described by a program. By executing this program on a computer, the processing functions of the data verification system, the identifier generation device, and the data verification device are realized on the computer.
The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used. Specifically, for example, as a magnetic recording device, a hard disk device, a flexible disk, a magnetic tape or the like, and as an optical disk, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only Memory). ), CD-R (Recordable) / RW (ReWritable), etc., magneto-optical recording medium, MO (Magnet-Optical disc), etc., semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory), etc. Can be used.

The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Further, the program may be distributed by storing the program in a recording device of the server computer and transferring the program from the server computer to another computer via a network.
A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its recording device. When executing the process, this computer reads the program stored in its own recording medium and executes the process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Further, the program may not be transferred from the server computer to the computer, and the above processing may be executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. Good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, a data verification system, an identifier generation device, and a data verification device are configured by executing a predetermined program on a computer. However, at least a part of these processing contents is realized by hardware. It is good to do.

<Confirmation of effect of invention by experiment>
The present invention was experimentally verified for identifier generation and data integrity verification. Hereinafter, experimental methods and results will be described.
The contents of the present invention can be broadly divided into 1. 1. identifier generation; There are two types of data integrity verification using identifiers. In this paper, we try to implement the best implementation for each. Note that the measurement environment is as shown in FIG. 13 and the sizes of the measurement parameters are as shown in FIG.

1. Generation of identifiers The effect of the fifth embodiment for speeding up the calculation of identifiers was confirmed.
FIG. 15 shows the result of comparison with the case where p and q are not used for calculating the identifier.
By using p and q, the speed can be increased by about 400 times. In this case, it is possible to generate the identifier at a speed close to real time. In the present invention, since the information X is divided into d blocks, the respective identifiers Y ₁ ,..., Y _d can be calculated completely independently, so that this part can be processed in parallel.

2. Data integrity verification The effect of speeding up the data integrity verification time by the verification method of the first embodiment was confirmed.
FIG. 16 shows a comparison result with the case where the standard hash function is used. The comparison was performed by changing the size of the data X from 1 Gbit to 10 Gbit every 1 Gbit.
Assuming that the size of X is αGbit, the verification method according to the present invention has a processing time of 1.23 + 0.159α (seconds). If the file size increases, the first constant part can be ignored, so a huge file can be processed at 6.29 Gbps. This is about 4.5 times faster than SHA-1 and about 11.3 times faster than SHA-256.

Also, when the file size is small, SHA-1 takes almost the same processing time for 2.24 Gbit (286 Mbytes), and SHA-256 takes about the same processing time for 0.74 Gbit (95 Mbytes). It takes. The processing times at this time are about 1.6 seconds and 1.3 seconds, respectively. The verification method according to the present invention is more effective as the amount of information to be verified becomes larger.
FIG. 17 shows the result of comparison with the capacity of one general video content DVD. It can be seen that the verification method of the present invention can be verified at a speed four times faster than SHA-1.

Furthermore, in the verification method of the present invention, the calculation of equation (2) and the calculation of equations (3) and (4) can be calculated completely in parallel. Therefore, a verification experiment was also performed when these parts were performed by parallel processing.
FIG. 18 shows the time required to verify the integrity of data for random numbers corresponding to three types of disk capacities of DVD, HD-DVD, and Blu-ray.
In AMD64 × 2 2 GHz, a throughput of about 12 Gbps (1.5 Gbyte / s) is obtained. This is 6 bits / cycle or more, and shows the performance overwhelming hash algorithms such as SHA.

  For these reasons, for example, when verifying a signature of huge data, the time required for hashing is dominant, and if a data increase of about 0.1% can be tolerated, a hash function is calculated for the identifier. Various applications can be expected such as high-speed signature verification by adding a signature.

  Since different algorithms are used for identifier generation and consistency verification in the present invention, real-time characteristics are required for data consistency verification as in video content, but there is no problem even if tag generation is somewhat slow. Is particularly effective.

The block diagram of the identifier production | generation apparatus 10 by this invention. The block diagram of the data verification apparatus 20 by this invention. The processing procedure of 1st Embodiment by this invention. The block diagram of the integrated apparatus 30 by this invention. The processing procedure of 2nd Embodiment by this invention. 1 is a configuration diagram of an integrated device 40 and an external storage device 200 according to the present invention. FIG. The processing procedure of 3rd Embodiment by this invention. The block diagram of the identifier production | generation apparatus 50 by this invention. The processing procedure of 5th Embodiment by this invention. The block diagram of the data verification apparatus 80 by this invention. The processing procedure of 8th Embodiment by this invention. The internal block diagram of the _ei production _| generation part 81 by this invention. The measurement environment list in the case of the experiment confirmation of the effect by this invention. List of measurement parameter sizes when confirming the experiment. Comparison of identifier creation time according to whether or not p and q are used when calculating identifiers. Comparison of verification time by capacity between standard hash function and proposed method. Comparison of verification time when verifying the capacity of one DVD. Comparison of verification time for each major disk standard when implementing parallel processing.

Claims (21)

A data verification system for verifying the consistency of two data,
A first data storage unit for storing predetermined information X;
A first data division unit that receives the information X, divides it into d pieces (d is a natural number of 2 or more) according to a predetermined procedure, and generates and outputs division information X _i (2 ≦ i ≦ d) When,
The division information X _i is input, and the identifier Y _i is

(N and g are both natural numbers greater than or equal to 2)
An identifier storage unit for storing the calculated identifier Y _i ;
A second data storage unit that stores information X ′ to be compared with the information X;
A second data dividing unit that receives the information X ′, divides the information X ′ into d pieces according to the predetermined procedure, and generates and outputs divided information X _i ′;
The identifier Y _i is input and Y ′ is

A Y ′ calculation unit that calculates and outputs (e _i is an integer);
The division information X _i ′ is input and x is

X calculation unit for calculating and outputting by
A C calculation unit that receives ^{x and} calculates and outputs C according to C = g ^x mod N;
The consistency determination unit that outputs the determination result that the Y ′ and the C are input, and if C = Y′mod N, the consistency is present;
A data verification system comprising:   2. The data verification system according to claim 1, wherein the N is a positive composite number that is difficult to be prime factorized. A data verification system for verifying the consistency of two data,
N = p · q (p and q are both prime numbers),
A first data storage unit for storing predetermined information X;
A first data division unit that receives the information X, divides it into d pieces (d is a natural number of 2 or more) according to a predetermined procedure, and generates and outputs division information X _i (2 ≦ i ≦ d) When,
A ξ calculator that receives the division information X _{i and} calculates and outputs ξ _i by ξ _i = X _i mod (p−1) · (q−1);
The xi] _i is inputted, the identifier _{Y i} to ^{_{Y i = g ξi mod N (}} g is a natural number of 2 or more) and the identifier calculation unit that calculates and outputs a result,
An identifier storage unit for storing the calculated identifier Y _i ;
A second data storage unit that stores information X ′ to be compared with the information X;
A second data dividing unit that receives the information X ′, divides the information X ′ into d pieces according to the predetermined procedure, and generates and outputs divided information X _i ′;
The identifier Y _i is input and Y ′ is

A Y ′ calculation unit that calculates and outputs (e _i is an integer);
The division information X _i ′ is input and x is

X calculation unit for calculating and outputting by
A C calculation unit that receives ^{x and} calculates and outputs C according to C = g ^x mod N;
The consistency determination unit that outputs the determination result that the Y ′ and the C are input, and if C = Y′mod N, the consistency is present;
A data verification system comprising:   4. The data verification system according to claim 3, wherein said N is a value that is difficult to factorize into p and q.   5. The data verification system according to claim 1, wherein g is a natural number of 2 or more that is relatively prime to N. 6. The data verification system according to claim 1, the data verification system, characterized by comprising e _i generation unit for generating and outputting at random the e _i. The data verification system according to claim 6, wherein the e _i generation unit includes:
A random number generator that generates and outputs a random natural number e of 1 or more;
A modular exponentiation unit that receives the e and calculates the e _i by e _i = e ^i-1 mod s (s is a natural number of 2 or more);
A data verification system comprising: The data verification system according to claim 6, wherein the e _i generation unit includes:
A random number generator that generates and outputs a random natural number e of 1 or more;
The e is input, and the e _{i is changed} to e _i = H (e, i)
(E, i) is a bit concatenation of e and i, H is a function that is difficult to calculate an inverse image,
A data verification system comprising: The data verification system according to claim 6, wherein the e _i generation unit includes:
A random number generator that generates and outputs a random natural number e of 1 or more;
The above e is input, and the above e _{i is changed} to e _i = S (e, i)
An S function calculation unit that calculates and outputs ((e, i) is a bit concatenation of e and i, S is a function that is difficult to collide),
A data verification system comprising: 6. The data verification system according to claim 1, wherein the e _i is a constant. A data storage unit for storing predetermined information X;
A data dividing unit that receives the information X and generates and outputs divided information X _i (2 ≦ i ≦ d) by dividing it into d pieces (d is a natural number of 2 or more) according to a predetermined procedure;
The division information X _i is input, and the identifier Y _i is

(N and g are both natural numbers greater than or equal to 2)
An identifier generation device comprising: N = p · q (p and q are both prime numbers),
A data storage unit for storing predetermined information X;
A data dividing unit that receives the information X and generates and outputs divided information X _i (2 ≦ i ≦ d) by dividing it into d pieces (d is a natural number of 2 or more) according to a predetermined procedure;
A ξ calculator that receives the division information X _{i and} calculates and outputs ξ _i by ξ _i = X _i mod (p−1) · (q−1);
The xi] _i is inputted, the identifier _{Y i} to ^{_{Y i = g ξi mod N (}} g is a natural number of 2 or more) and the identifier calculation unit that calculates and outputs a result,
An identifier generation device comprising: An identifier storage unit that stores the identifier Y _i output from the identifier generation device according to claim 11,
A data storage unit that stores information X ′ to be compared with information X that is the source information of the identifier Y _i ;
A data dividing unit that receives the information X ′ and divides it into d pieces (d is a natural number of 2 or more) according to a predetermined procedure to generate and output divided information X _i ′ (2 ≦ i ≦ d) When,
The identifier Y _i is input and Y ′ is

A Y ′ calculation unit that calculates and outputs (e _i is an integer, N is a natural number of 2 or more);
The division information X _i ′ is input and x is

X calculation unit for calculating and outputting by
A C calculation unit that receives ^{x and} calculates and outputs C by C = g ^x mod N (g is a natural number of 2 or more);
The consistency determination unit that outputs the determination result that the Y ′ and the C are input, and if C = Y′mod N, the consistency is present;
A data verification apparatus comprising: A data verification method for verifying the consistency of two data,
A first data dividing unit that divides predetermined information X into d pieces (d is a natural number of 2 or more) according to a predetermined procedure to generate divided information X _i (2 ≦ i ≦ d);
The identifier calculation unit obtains the identifier Y _i from the division information X _i.

(N and g are both natural numbers of 2 or more)
A step in which the second data dividing unit divides the information X ′ to be compared with the information X into d pieces according to the predetermined procedure to generate divided information X _i ′;
Y ′ calculation unit obtains Y ′ from the identifiers Y _i

Calculating (e _i is an integer);
The x calculation unit calculates x from the division information X _i ′.

The step of calculating by
A step in which a C calculation unit calculates C from x by C = g ^x mod N;
A step in which a consistency determination unit compares the above Y ′ with the above C and outputs a determination result that there is consistency if C = Y′mod N, and that there is no consistency otherwise;
A data verification method comprising: A data verification method for verifying the consistency of two data,
N = p · q (p and q are both prime numbers),
A first data dividing unit that divides predetermined information X into d pieces (d is a natural number of 2 or more) according to a predetermined procedure to generate divided information X _i (2 ≦ i ≦ d);
a step xi] calculation unit for calculating, the xi] _i from the division information X _i, by _{ξ i = X i mod (p} -1) · (q-1),
A step identifier calculation unit, an identifier _{Y i} from the xi] _i, which is calculated by ^{_{Y i = g ξi mod N (}} g is a natural number of 2 or more),
A step in which the second data dividing unit divides the information X ′ to be compared with the information X into d pieces according to the predetermined procedure to generate divided information X _i ′;
Y ′ calculation unit obtains Y ′ from the identifiers Y _i

Calculating (e _i is an integer);
The x calculation unit calculates x from the division information X _i ′.

The step of calculating by
A step in which a C calculation unit calculates C from x by C = g ^x mod N;
A step in which a consistency determination unit compares the above Y ′ with the above C and outputs a determination result that there is consistency if C = Y′mod N, and that there is no consistency otherwise;
A data verification method comprising:   The program for functioning a computer as a system in any one of Claims 1-10.   A program for causing a computer to function as the apparatus according to claim 11.   A program for causing a computer to function as the apparatus according to claim 13.   A computer-readable recording medium on which the program according to claim 16 is recorded.   A computer-readable recording medium on which the program according to claim 17 is recorded.   A computer-readable recording medium on which the program according to claim 18 is recorded.

Images