JP2009186950A - Applied system of homomorphic one-way function operating device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To constitute a homomorphic one-way function operating device to safely perform, for example, counting of electronic voting (sum of voting content). <P>SOLUTION: An applied system having a homomorphic one-way function operation device F(*) is disclosed, wherein the product äF(V1)×F(V2), ..., F(Vn)} of the values obtained by inputting, as n (n≥2) variables, äV1,V2, ..., Vn} into a homomorphic one-way function operating device F(*) individually and in an optional order and the value obtained by inputting äV1+V2+, ..., +Vn} into the homomorphic one-way function operation device F(*) have the equal nature, and the applied system includes: a step of precalculating a correspondence table äF(V1+V2+, ..., +Vn), (V1+V2+, ..., +Vn)} for each value possible for äV1+V2+, ..., +Vn} and storing it in a storage device; and a step of obtaining, when F(V1+V2+, ..., +Vn) newly calculated by äV1,V2, ..., Vn} is obtained, the value of äV1+V2+, ..., +Vn} by referring to the correspondence table. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an application system of a homomorphic unidirectional function computing device, and can be used for anonymous electronic voting, for example. An anonymous electronic vote is an electronic vote in which the name of the voter (identifier assigned to the person or device that performs the vote) is secret.

  Electronic voting can be classified into registered voting and anonymous voting depending on whether or not the name of the voter is associated with the contents of the ballot. Realizing secure bearerless electronic voting using the network has great significance for the information society, but the present situation is still in the development stage. In the anonymous voting method proposed heretofore, the disadvantage of the method using ciphers with homomorphism is that the management of public and private keys and the process for authentication are complicated, and blind signatures and Mix-net The disadvantage of the method is that it requires a complicated anonymous communication path.

The homomorphism is a property of S (m1) · S (m2) = S (m1 + m2) for the function S (·). One-way property is that it is easy to calculate T (m) for the function T (•), but it is difficult or impossible to obtain m from T (m). Conventionally, cryptography having homomorphism has been studied, but one-way function having homomorphism has not been studied.
IEICE (ed.): “Information Security Handbook”, Ohmsha, 2004 Kurosawa and Ogata (co-author): “Basic Mathematics of Modern Cryptography”, Corona, 2004

  The main problem of the prior art to be solved is that the cost for implementing bearer voting is high.

The present invention uses {V1, V2,. . . , Vn} in any order, the products {F (V1) · F (V2)... F (Vn)} of values individually input to the homomorphic one-way function calculation device F (·), {V1 + V2 + . . . In the application system including the homomorphic unidirectional function calculation device F (•) having the property that the value inputted to the homomorphic unidirectional function calculation device F (•) is equal to + Vn},
The correspondence table {F (V1 + V2 + ... + Vn), (V1 + V2 + ... + Vn)} is converted into {V1 + V2 +. . . + Vn} is calculated in advance for each possible value and stored in a storage device, and {V1, V2,. . . , Vn} by referring to the above correspondence table when F (V1 + V2 +... + Vn) calculated by {V1 + V2 +. . . An application system of a homomorphic unidirectional function arithmetic device characterized by having a process of obtaining a value of + Vn} is realized.

  The application system of the homomorphic unidirectional function computing device of the present invention has an advantage that an anonymous voting can be realized relatively easily without using an anonymous communication path, for example, when applied to electronic voting. In the application system of the homomorphic unidirectional function computing device of the present invention, the anonymous communication path is not used, but the voting server and each voter associate the voter with the voting content depending on the property of the homomorphic unidirectional function. Cannot be performed.

The homomorphic unidirectional function arithmetic unit F (•) is defined to have the following properties: arbitrary numerical values M, M1, M2,. . . , Mn, (n = 1, 2,...), It is easy to calculate F (M) from M, but it is difficult or impossible to calculate M from F (M). And,
F (M1) · F (M2) = F (M1 + M2). Therefore,
F (M1) · F (M2)... F (Mn) = F (M1 + M2 +... + Mn).
FIG. 1 shows an operation example of the homomorphic one-way function calculation device F (•).

A homomorphic one-way function computing device that satisfies the above definition can be realized by, for example, implementing the following function as a device, but the homomorphic one-way function computing device implemented in the homomorphic one-way function computing device of the present invention. The directionality function is not limited to the following example, as long as it satisfies the above definition.
For any integer A, B, exp (A, B) represents A to the power B,
A mod B represents the remainder when A is divided by B.
The division for a variable given modP can be calculated by multiplying the inverse in modP.
(1) Configuration example 1 of a homomorphic one-way function
F (M) = exp (g, M) modP
Here, the constant g and the constant P are appropriately determined in consideration of safety.
There are various examples for appropriate determination. For example, g is a primitive element of modP, an integer of several hundred digits, and P is a prime number of 300 digits or more.
(2) Homomorphic one-way function example 2:
F (M) = exp (g, αM) mod P
Here, the constant g, the constant α, and the constant P are appropriately determined in consideration of safety.
(3) Example 3 of homomorphic unidirectional function:
F (M) = K · exp (g, αM) mod P
Here, the constant g, the constant α, and the constant P are appropriately determined in consideration of safety.
K is an arbitrary constant or function. In this case, the following conversion is necessary.
F (M1) · F (M2)... F (Mn) = F (M1 + M2 +... Mn) / (n products of K)
(4) Example 4 of homomorphic one-way function:
F (M) = β · M · R,
Here, β is a constant, and F (M) and R are two-dimensional coordinates of points on an elliptic curve for which a constant is appropriately selected. The elliptic curve is a curve represented by y ² = ax ³ + bx ² + cx + d, and a, b, c, and d are constants. If the elliptic curve, β, and R are appropriately set, it is difficult to obtain M given {F (M), β, R}.
In this case, (M1 + M2 +... Mn) is obtained by F (M1) + F (M2) +... + F (Mn) = β · (M1 + M2 +... Mn) · R. Therefore, unlike the first, second, and third examples, the product of a plurality of F (•) needs to be replaced with the sum of a plurality of F (•).

In FIG. 2, in order to associate (V1 + V2 +... + Vn) with F (V1 + V2 +... + Vn), the values of the choices {V1, V2,. A configuration example of the correspondence table {(V1 + V2 + ... + Vn), F (V1 + V2 + ... + Vn)} is shown.

In FIG. 3, considering the choices of the input values Vk, (k = 1, 2,..., N) to the homomorphic one-way function calculation device F (•), it is possible to aggregate each choice. An example of setting the aggregate calculation bit string is shown.
For example, when any one option is selected for one Vk, a value in which the least significant bit in the bit string corresponding to the option is set to 1 is the value of Vk. The maximum length of the bit string corresponding to each option is set so that it does not overlap with bit strings corresponding to other options even when all input values select a specific option.

  By using the homomorphic unidirectional function computing device of the present invention, for example, anonymous electronic voting can be realized using a computer and a communication line. One example is shown in Example 2.

  FIG. 3 shows a model of anonymous electronic voting for network conferencing using a homomorphic unidirectional function arithmetic unit. An electronic voting system for network meetings includes a voting management terminal 11 (such as a personal computer) for a voting manager (chairperson), a voting terminal 12 for a voter (such as a personal computer or a mobile phone), a voting server 13 (such as voting management), and trust Consists of a server 14 (trusted auxiliary server) and a communication line 15 (such as a network), and general security in communication between these components is protected by ordinary security technology (for example, encryption or authentication technology). To do. The voting terminal is individual for each voter.

An example of the procedure for anonymous electronic voting is shown below.
Step 0 (initial setting): The voting manager selects a set of voters {voter 1, voter 2,. . . , Voter n}, voting message (voting content) of voter k, (k = 1, 2,..., N) is Vk, (k = 1, 2,..., N) The administrator sends a homomorphic one-way function computing device F (·) and voter messages {V 1, V 2,. . . , Vn} are determined (possible values) and set for the voting server 13 and all voting terminals.

Step 1 (trust server): The trust server 14 sends a secret random number Sk, (k = 1, 2,..., N) to the voter k, (k = 1, 2,..., N). . The trust server 14 transmits [(S1, S2,..., Sn) mod P] to the voting server 13, and keeps (or deletes) (S1, S2, ..., Sn) secretly.
The voting server 13 keeps the received (S1, S2, ..., Sn) secretly.

Step 2 (voter and voting server): The voter k, (k = 1, 2,..., N) is Wk · F (Vk) mod P, (k = 1, 2,..., N). Are individually transmitted to the voting server 13. Here, Wk, (k = 1, 2,..., N) is a secret random number.

Step 3 (communication between voters): The first voter 1 sends {S1 · W1modP} to the voter 2 and sends the confirmation to the voting server 13.
The voter 2 sends {(S1, W1, S2, W2) mod P} to the voter 3, and sends the confirmation to the voting server 13.
The voter 3 sends {(S1, W1, S2, W2, S3, W3) mod P} to the voter 4, sends the confirmation to the voting server 13, and thereafter each voter sequentially performs the same operation. As a result,
The final voter n receives {(S1, W1, S2, W2,... Sn, Wn) mod P}.

Step 4 (last voter): Voter n sends {(S1, W1, S2, W2,... Sn, Wn) mod P} to voting server 13.

Step 5 (voting server): The voting server 13
A1 = [W1 · F (V1)] · [W2 · F (V2)],. . .・ [Wn ・ F (Vn)] modP
, Where
A1 = W1, W2,. . .・ Wn ・ F (V1) ・ F (V2) ・. . .・ F (Vn) modP
= W1, W2,. . .・ Wn ・ F (V1 + V2 + ... + Vn) mod P
Next, the voting server 13
C1 = [(S1, W1, S2, W2,... Sn, Wn) mod P1] / [(S1, S2,... Sn) mod P]
(= (W1, W2,... Wn) mod P)
To obtain (W1, W2,... Wn) mod P,
Next, the voting server 13 determines that A2 = A1 / [(W1) · W2. . . Wn) mod P] = F (V1 + V2 + ... + Vn)
To obtain the value of A2.

Due to the unidirectionality of the homomorphic unidirectional function F (•), the voting server 13 cannot obtain (V1 + V2 + ... + Vn) from F (V1 + V2 + ... + Vn).
In order to solve this, the voting server 13 calculates C1 = F (V1 + V2 + ... + Vn) in advance for all the possible values of (V1 + V2 + ... + Vn) at any point in time. Numerical values are stored in the correspondence table T1.
T1 = {C1 (= F (V1 + V2 + ... + Vn)), (V1 + V2 + ... + Vn)}
Since it is easy to calculate the function F (•) from the input value, and the voter set can be divided into subsets, and the number of votes for each subset can be set appropriately, the above-mentioned Prior calculations can be easily performed.

When the voting server 13 collates the numerical value of A2 with each element of the correspondence table T1, and finds the element of A2 = C1, the voting result numerical value {V1 + V2 +. . . + Vn} is obtained.

Note 1: If the voting server 13 does not receive a confirmation from any voter X, the voting server 13 removes the voter X from the voting member list of the current voting agenda. When the number of voters is large, the set of voters can be divided into a plurality of subsets. In this case, the voter of each subset executes the above-described anonymous voting procedure for each subset.

Remark 2: The voting message Vk, (k = 1, 2,..., N) is a numerical value of the condition specified by the voting manager. For example, two options {Yes = 1, No = 0} for the voting message Is present,
Since (V1 + V2 +... + Vn) is an integer value of 0 to n, the correspondence table T1 has (n + 1) elements.

Note 3: In order to guarantee the validity of the voting message Vk, (k = 1, 2,..., N), the application of the voting terminal needs to check the validity of the numerical value input by the voter. . The application of the voting terminal can be downloaded from the voting server 13. The validity of the application of the voting terminal can be guaranteed by the voting server 13 digitally signing the application.

Note 4: When the voting server 13 receives a voting message from the voting terminal, the voting server 13 verifies the validity of the voting terminal by a digital signature. The voting server 13 can prevent multiple votes by inspecting the voter ID and the voter password when communicating with the voter.

A simple numerical example in the case where there are two voters is shown below for explanation.
Step 0 (initial setting): The homomorphic one-way function is F (V) = exp (g, V) mod P, g = 2, P = 97, and the voting message is V = 0 (No) or 1 (Yes) ).

Step 1 (trust server): The trust server 14 generates secret random numbers S1 = 23 and S2 = 53, sends S1 to the voter 1 and S2 to the voter 2, and sends S1 · S2modP = 55 to the vote server 13. Send.

Step 2 (between the voter and the voting server): The voter 1 determines V1 = 0, W1 = 88, W1 · F (V1) mod P = 88, S1 · W1 mod P = 84, and sets W1 · F (V1). The voting server 13 determines that V2 = 1, W2 = 77, W2 · F (V2) modP = 57, S2 · W2modP = 7, and the voting server 13 determines W2 · F (V2) modP. Send to.

Step 3 (communication between voters): The voter 1 with the first number transmits S1 · W1modP = 84 to the voter 2 and transmits the confirmation to the voting server 13.

Step 4 (last voter): The final voter 2 sends the vote server 13
(S1 · W1) · (S2 · W2) = 6 is transmitted.

Step 5 (voting server): The pre-calculation of the voting server 13 is
F (0 + 0) = 1, F (0 + 1) = F (1 + 0) = 2, F (1 + 1) = 4, T1 = [{1, 0}, {2, 1}, {4, 2}]
It is.
A1 = [W1 · F (V1)] · [W2 · F (V2)]] mod P = 69
C1 = [(S1, W1, S2, W2) mod P] / [(S1, S2) mod P] = 83
A2 = A1 / [(W1 · W2) modP] = F (V1 + V2) = 2

The numerical value of A2 = 2 is collated with each element of the table T1, and the result of voting is obtained by the element {F (V1 + V2), V1 + V2} = {2, 1} where A2 = C1 (= F (V1 + V2)) , V1 + V2 = 1.

  A feature of the application system of the homomorphic unidirectional computing device of the present invention is that it is possible to relatively easily realize secret tabulation without using an anonymous communication path, and it can be used for anonymous electronic voting, anonymous questionnaires, and the like.

It is an operation example of the homomorphic unidirectional function computing device F (•). Example 1 It is an example of the correspondence table {F (V1 + V2 + ... + Vn), (V1 + V2 + ... + Vn)}. Example 1 It is an example of the setting of the bit string which enabled totalization for every choice. Example 1 It is a model example of the anonymous electronic voting for network meetings. (Example 2) This is an example of an anonymous electronic voting model with two voters. (Example 2)

Explanation of symbols

1 Homomorphic one-way function calculator F (・)
2 Correspondence table {F (V1 + V2 + ... + Vn), (V1 + V2 + ... + Vn)}
3 Total operation bit string 11 Vote management terminal 12 for vote manager Voting terminal 13 for voter Vote server 14 Trust server 15 Communication line

Claims (4)

n variables (n ≧ 2) as {V1, V2,. . . , Vn} in any order, the products {F (V1) · F (V2)... F (Vn)} of values individually input to the homomorphic one-way function calculation device F (·), {V1 + V2 + . . . In the application system including the homomorphic unidirectional function calculation device F (•) having the property that the value inputted to the homomorphic unidirectional function calculation device F (•) is equal to + Vn},
The correspondence table {F (V1 + V2 + ... + Vn), (V1 + V2 + ... + Vn)} is converted into {V1 + V2 +. . . + Vn} is calculated in advance for each possible value and stored in a storage device, and {V1, V2,. . . , Vn} by referring to the above correspondence table when F (V1 + V2 +... + Vn) calculated by {V1 + V2 +. . . Application system of a homomorphic unidirectional function arithmetic unit characterized by having a process of obtaining a value of + Vn}.   The application system of the homomorphic unidirectional function arithmetic unit according to claim 1, wherein a power residue function is included in the homomorphic unidirectional function arithmetic unit F (·).   The position of the aggregate bit string is separated for each possible choice of the input value V to the homomorphic unidirectional function arithmetic unit F (•) so that the aggregate value for each of the V choices can be obtained independently. The application system of the homomorphic unidirectional function computing device according to claim 1. In the homomorphic one-way function calculation device F (•), including the calculation related to the elliptic curve,
n variables (n ≧ 2) as {V1, V2,. . . , Vn} is the sum of the values on the elliptic curve {F (V1) + F (V2) +... + F (Vn)} of the values individually input to the homomorphic one-way function computing device F (•). And (V1 + V2 +... + Vn) input to the homomorphic unidirectional function computing device F (•) in an application system comprising a homomorphic unidirectional function computing device F (•) having the same property. The table {F (V1 + V2 + ... + Vn), (V1 + V2 + ... + Vn)} is {V1 + V2 +. . . + Vn} is calculated in advance for each possible value and stored in the memory, and {V1, V2,. . . , Vn} by referring to the above correspondence table when F (V1 + V2 +... + Vn) calculated by {V1 + V2 +. . . Application system of a homomorphic unidirectional function arithmetic unit characterized by having a process of obtaining a value of + Vn}.

Images