JP2011013428A - Information processing apparatus, code generation method, code verifying method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing apparatus that efficiently detects tampering of dispersed information at high probability and increases the degree of freedom of parameter setting.SOLUTION: The information processing apparatus includes a secret information dividing part for dividing secret information s into secret information s_1 and secret information s_2 so that one of them becomes an element selected from the original set of the secret information s uniformly at random, a code generating part for calculating the value of M(s_1, s_2) as data v for check regarding a function M(), a code dispersing part for outputting a (k-1)-order polynomial F where the secret information s and the data v for check are embedded, a code restoring part for generating a (k-1)-order polynomial F' passing points of k sets of dispersed code word information to be restored and restoring secret information s' and data v' for check embedded in F', and a code verifying part for determining whether the value of function M(s'_1, s'_2) is equal to the data v' for check regarding secret information s'_1 and secret information s'_2 divided from the secret information s'.

Description

  The present invention relates to an information processing apparatus that detects falsification of data, a code generation method, a code verification method, and a program for causing a computer to execute the method.

  When storing information that is to be kept secret (hereinafter referred to as secret information), there are not only loss of secret information but also threats of destruction and theft. Although it is effective to make a copy of secret information against the former threat, the threat against theft of the latter increases.

  As one of means for solving such a problem, a secret sharing method is known. The (k, n) threshold method, which is one of secret sharing methods, will be briefly described. The secret information is encoded into n pieces of shared information. Secret information can be completely recovered by collecting any k or more pieces of shared information out of n pieces of shared information. However, even if k-1 or less pieces of shared information are collected, information about the original secret information is obtained at all. I can't. Therefore, even if up to k-1 pieces of shared information are stolen, the secret information is not leaked to others, and the secret information can be restored even if up to n-k pieces of shared information are destroyed.

  An example of the (k, n) threshold method is disclosed in Non-Patent Document 1. Since the method proposed by shamir disclosed in Non-Patent Document 1 is efficient, this method is widely used.

  The method of Non-Patent Document 1 uses a finite field GF (p) for a prime number or a power p of a prime number as a data set of secret information, and a random (k−1) on GF (p) having the secret information s as a constant term. ) A point on the degree polynomial f (x), (x_1, f (x_1)),..., (X_n, f (x_n)) is used as distributed information. The k-1 order polynomial can be uniquely restored from the k pieces of distributed information, and the secret information s which is f (0) can be restored. Further, f (0) cannot be determined from k−1 or less pieces of shared information, and no information about the secret information s is leaked. The place where the confidential information is embedded may be any place other than f (0). Also, a polynomial coefficient or the like may be used.

  Further, xi (i = 1,..., N) may be different from each other.

  Some threats can be dealt with by using such a (k, n) threshold method, but there are also the following threats.

  Consider a situation in which shared information is correctly created and distributed in the (k, n) threshold method, and then multiple pieces of shared information are collected to restore secret information.

  At this time, the requested value of the shared information is not always passed without falsification. Further, when the simple (k, n) threshold method is used, there is a possibility that the value restored using the altered shared information becomes a value different from the secret information.

  To illustrate the actual situation, when data with a distributed will is created and passed to multiple descendants, the data is altered and rewritten with content that is convenient for some descendants. It is done.

  When such an attack is carried out in the method of Non-Patent Document 1, if the secret information is s and the addition on the finite field is written as +, the tamper will alter the s + s' to be restored. It is known that it can be done. For this reason, it is desirable that the system be able to detect the fact that the tampering has been performed as in the previous will.

  Various methods for imparting such a function to the (k, n) threshold method disclosed in Non-Patent Document 1 are known. The following methods are known as methods for efficient arithmetic processing. The outline of this method will be described separately in a distribution phase in which secret information is distributed and a restoration phase in which secret information is restored.

[Distributed phase]
1. Apply some processing to the confidential information. The value after the processing is applied is called a code.
2. Distribute the code with the existing (k, n) threshold method.

Restore phase
1. Restore the code.
2. Check the validity of the code. If it is found that it is not legitimate, it is assumed that it has been tampered with.

  Adopting such a configuration, GenCode () is a device that outputs code with confidential information as input, and VerCode () is a function that outputs whether the code is valid with the generated code as input Let c be the code for some secret information s. At this time, the probability that the tamper can generate c ′ that outputs that VerCode (c + c ′) is valid is sufficiently low. In addition to this, when the code is valid, it is possible to detect fraud with respect to the above (k, n) threshold method with a high probability by using the one that always outputs the secret information corresponding to the code.

  An information processing apparatus that executes this method will be described.

  FIG. 8A is a block diagram illustrating a configuration example of a related distributed information generation apparatus. FIG. 8B is a block diagram illustrating a configuration example of a related restoration device.

  As shown in FIGS. 8A and 8B, each of the shared information generating apparatus 700 and the restoring apparatus 800 is connected to a plurality of storage apparatuses 900 for storing shared information.

  First, the configuration of the shared information generating apparatus 700 will be described with reference to FIG. 8A.

  The distributed information generation apparatus 700 includes a code generation unit 701 and a code distribution unit 702. When the source of the secret information data set S, the threshold value k, the number of shared information n, and the storage destination device designation data are input, the shared information generation device 700 receives n pieces of data designated by the storage destination device designation data. For each storage device 900, the distributed code information that is the source of the distributed code data set BS is stored.

  When the element s of the secret information data set S is input, the code generation unit 701 outputs the element c of the code information data set C.

  When the source of the set C, the threshold k, the number of distributed information n, and the storage destination device designation data are input, the code distribution unit 702 receives each of the n storage devices 900 designated by the storage destination device designation data. For the original of the distributed code data set BS.

  Next, the configuration of the restoration device 800 will be described with reference to FIG. 8B.

  The restoration apparatus 800 includes a code restoration unit 801 and a code validity verification unit 802. When the original of the set C, the threshold k, the number of distributed information n, and the storage destination device designation data are input, the restoration device 800 reads out the BS source stored in each of the plurality of storage devices 900, The original data of the secret information data set S or a symbol representing fraud detection is output.

  When the source of the set C, the threshold k, and the storage destination device designation data are input, the code restoration unit 801 reads the BS source stored in each storage unit 901 from the plurality of storage devices 900, and C Output the element of.

  When the element of C is input, the code validity verification unit 802 outputs the original data of S or data indicating that the code is invalid. The storage device 900 includes a storage unit 901 that stores the source of the distributed code data set BC.

  Next, the operation procedure of the shared information generating apparatus 700 will be described with reference to the flowchart of FIG.

  The threshold k, the number n of shared information, the storage destination device designation data, and the element s of the secret information data set S are input to the shared information generating device 700 (step A1).

  The code generation unit 701 outputs c, which is the source of the code information data set C corresponding to the input s (step A2).

  The code distribution unit 702 distributes c by the (k, n) threshold method when the threshold k, the number n of distributed information, the storage destination device designation data, and the output c of the code generation unit 701 are input. The encoded and distributedly encoded c is stored in the storage unit 901 of the storage device 900 designated by the storage destination device designation data (step A3).

  Next, the operation procedure of the restoration apparatus 800 will be described with reference to the flowchart of FIG.

  The threshold value k and the number of distributed information n are input to the restoration device 800 (step B1). The code restoration unit 801 reads data from the storage units 901 of a plurality of storage devices 900 of k machines or more (step B2). Subsequently, the code restoration unit 801 outputs an element c ′ of C, which is a result of performing restoration processing using the restoration method corresponding to the distributed encoding method of the code distribution unit 702, from the read data and the threshold value k. (Step B3).

  When the code validity verification unit 802 receives c ′ from the code restoration unit 801, the code validity verification unit 802 performs a process of verifying the validity of c ′. 'Is output, otherwise a symbol indicating fraud detection is output (step B4).

  In addition, information other than secret information may be input for the GenCode input. In addition, c is not necessarily a single element of a finite field, and may be composed of a plurality of elements of different finite fields. For example, considering the case of three elements, c = (c1, c2, c3) may be obtained. At this time, for c = (c1, c2, c3) and c '= (c1', c2 ', c3'), + is defined on a finite field corresponding to each element of c1, c2, c3 If it is an addition, c + c ′ represents (c1 + c1 ′, c2 + c2 ′, c3 + c3 ′).

  Note that the smaller the code set, the smaller the size of the shared information, which is preferable because less storage capacity is required when the secret information is distributed and stored.

  Non-patent literature 2, non-patent literature 3 and non-patent literature 4 are disclosed as non-patent literature 1 as a system that is more efficient in arithmetic processing than non-patent literature 1. Then, when the methods disclosed in these three documents are classified into two types, the methods disclosed in Non-Patent Document 2 and Non-Patent Document 3 and the methods disclosed in Non-Patent Document 4 can be divided. Each will be described below.

  The processing devices disclosed in Non-Patent Document 2 and Non-Patent Document 3 are codes that perform processing to generate secret information, random numbers, and secret information and an output when these random numbers are input to a function as codes. It consists of a generation device and a code validity verification device that verifies the validity of a code as an input.

  In these methods, regardless of the randomness of the secret information itself, the random number R is selected from the set from which the secret information is selected and the random number on the condition that the random number R is uniformly selected from the original set from which it is selected. An addition on a set of codes and a set of codes is represented as +, and a function is represented as M (). For a secret information s1 and a random number r1, a tamper who has obtained s1 and c1 = M (s1, r1) is M ( t1 + s1 ′, r1 + r1 ′) = M (s1, r1) + c1 ′ that satisfies s1 ′, r1 ′, c1 ′ is generated with high probability.

  An example of the configuration of a code generation device and a code verification device for detecting such alteration of secret information and uniform random numbers will be described. This type of code generation device is referred to as a “tamper detection code generation device”, and the code verification device is referred to as a “tamper detection code verification device”.

  FIG. 11A is a block diagram illustrating a configuration example of the code generation device disclosed in Non-Patent Document 2 or Non-Patent Document 3. FIG. 11B is a block diagram illustrating a configuration example of the code verification device disclosed in Non-Patent Document 2 or Non-Patent Document 3.

  As shown in FIG. 11A, the falsification detection code generation device 100 includes a check data generation unit 101. The tampering detection code generation device 100 outputs s and r when the secret information s that is the source of the secret information data set S and the random number r that is the source of the random information data set R are input, s and r are input to the check data generation unit 101, and as a result, c, which is the source of the check data set C, is output as check data.

  Also, as shown in FIG. 11B, the tampering detection code verification apparatus 200 includes a check data generation unit 101 and an identity determination unit 201.

  The tampering detection code verification apparatus 200 includes the secret information s that is the source of the secret information data set S, the random number r that is the source of the random information data set R, and the check data c that is the source of the check data set C. Are input to the check data generation unit 101. When s and r are input, the check data generation unit 101 generates and outputs c ′. When the check data c and c ′ that is the output of the check data generation unit 101 are input, the same determination unit 201 performs a determination process. As a result of the determination process, the same determination unit 201 outputs a symbol indicating that the code is consistent when c ′ = c, and the code is not consistent otherwise. A symbol representing is output. Further, the tampering detection code verification apparatus 200 outputs the secret information s.

  In the method of Non-Patent Document 2, if the probability that tampering can be detected is (1-ε), and the secret information is selected from the set of the number of elements s, the random number is the element of the set of the number of elements 1 / ε, and the output of the function Is the element of the set with 1 / ε elements. In other words, the code is an element of a set whose number of elements is approximately s * 1 / (ε ^ 2). This method has a parameter condition that it operates only when s and 1 / ε are almost equal. This means that even if ε is about 1/2 ^ 80, s needs to be 1/2 ^ 1000 if s is 2 ^ 1000. It is preferable that these parameters can be freely set because the length of the cord is affected.

  Specifically, it is as described below.

  In the method disclosed in Non-Patent Document 2, when p is a prime number and Z / pZ is a set S of secret information, s and Z / pZ are uniformly random as codes of s that are elements of S. In this method, the selected element r and * are multiplied on Z / pZ, and s * r mod p is used as check data.

  When q is a power of a prime number instead of Z / pZ, each set may be an element of a Galois field GF (q), and multiplication may be multiplication on the Galois field.

  In the method of Non-Patent Document 3, if the probability that tampering can be detected is (1-ε), and the secret information is selected from the set of the number of elements s, the random number is the element of the set of the number of elements 1 / ε, and the output of the function Is the element of the set with 1 / ε elements. Therefore, the code is an element of a set whose number of elements is approximately s * 1 / (ε ^ 2). In other words, the efficiency is comparable to the method of Non-Patent Document 2, but s and 1 / ε can be set almost independently. Therefore, it can be said that this is a method in which the problem in Non-Patent Document 2 is solved.

  Specifically, it is as described below.

  The system disclosed in Non-Patent Document 3 is a system in which p is a prime number, N is a positive integer, and (Z / pZ) ^ N is a set of secret information. The element of (Z / pZ) ^ N is written as s or (s_1, s_2, ..., s_N). In addition, Galois field GF (p ^ N) may be used instead of (Z / pZ) ^ N.

  At this time, as a code of (s_1, s_2, ..., s_N), s, an element r uniformly selected from Z / pZ, and * are multiplied on Z / pZ, and s_1 * r + s_2 * r ^ 2 + ... + s_ {N-1} * r ^ {N-1} + s_ {N} * r ^ {N + 1} mod p is used as check data.

  When q is a power of a prime number instead of Z / pZ, each set may be an element of a Galois field GF (q), and multiplication may be multiplication on the Galois field.

  On the other hand, the method disclosed in Non-Patent Document 4 is a function that inputs elements of a set of secret information and outputs elements of a subset of a set larger than the secret information when different values are input. Is a method that uses functions that always output different values. When such a function is expressed as N (), the code generator outputs N (s) as a code when the secret information s is input. When a code is input, the code verification device checks whether there is a secret information element corresponding to the code. If there is a secret information element, the code verification device indicates that the secret information has not been tampered with. Otherwise, a symbol indicating that the confidential information has been tampered with is output. In this method, code alteration can be detected with a high probability on the condition that secret information is uniformly and randomly selected from a selected set.

  Specifically, it is as follows.

  When a set with p elements is used as the secret information set S, the number of elements of {0, ... p (p-1)} when N = (p (p-1) +1) is This is a method using a subset B which is p, and has a property that s1-s2 mod N is different for any two different elements s1 and s2 of the subset.

  More specifically, the S code uses a function that maps S elements to B elements. This method of verification uses a function that calculates the inverse of the mapping from S to B. At this time, if there is no source of S corresponding to the code, it is assumed that there is tampering.

  Further, in the method disclosed in Non-Patent Document 4, when the probability that tampering can be detected is (1-ε), the output of the function is the number of elements s * (1 / ε). Further, there is a parameter condition that the operation is performed only when s and 1 / ε are substantially equal. That is, it can be said that this is a method having the same problem as the method of Non-Patent Document 2. However, since the set of the number of code elements is reduced by 1 / ε compared to the case of using the methods of Non-Patent Document 2 and Non-Patent Document 3, it can be seen that this is an efficient calculation processing method.

  An example of the configuration of a code generation device and a code verification device for detecting such uniform alteration of secret information will be described. This type of code generation device is referred to as a “tamper detection code generation device”, and the code verification device is referred to as a “tamper detection code verification device”.

  FIG. 12A is a block diagram illustrating a configuration example of the code generation device disclosed in Non-Patent Document 4. FIG. 12B is a block diagram illustrating a configuration example of the code verification device disclosed in Non-Patent Document 4.

  As illustrated in FIG. 12A, the falsification detection code generation device 300 includes a secret information encoding unit 301. When the secret information s that is the source of the secret information data set S is input, the falsification detection code generation device 300 inputs s to the secret information encoding unit 301, Output a certain c as code.

  As illustrated in FIG. 12B, the tampering detection code verification apparatus 400 includes a secret information decoding unit 401 corresponding to the secret information encoding unit 301, and a decoding result determination unit 402.

  When the original c of the code data set C is input, the tampering detection code verification apparatus 400 inputs c to the secret information decryption unit 401 and outputs the secret information decryption unit 401 to the decryption result determination unit 402. To enter. When the value received from the secret information decryption unit 401 is an element of the secret information data set, the decryption result determination unit 402 outputs the value as it is; otherwise, the decryption result determination unit 402 displays a symbol indicating that the data has been tampered with. Output.

Adi Shamir. How to share a secret. Comm. ACM, 22 (11) 612-613 (1979). Sergio Cabello, Carles Padro ', Germa'n Sa'ez: Secret Sharing Schemes with Detection of Cheaters for a General Access Structure.Des. Codes Cryptography 25 (2): 175-188 (2002) Toshinori Araki, Satoshi Obana: Flaws in Some Secret Sharing Schemes Against Cheating. ACISP 2007: 122-132 Wakaha Ogata. Kaoru Kurosawa. Douglas R Stinson: Optimum Secret Sharing Scheme Secure Against Cheating SIAM J. Discrete Math., Vol. 20, no1, pages 79-95, 2006

  When generating shared information using the (k, n) threshold method, as a method of generating a code capable of detecting tampering of the distributed information with high probability, the calculation efficiency is comparable to the method of Non-Patent Document 4. None of the parameters could be set freely.

  An object of the present invention is to provide an information processing apparatus, a code generation method, and a code verification method that can detect falsification of shared information by the (k, n) threshold method with high probability and efficiency and that have a large degree of freedom in parameter setting. And a program for causing a computer to execute the method.

An information processing apparatus of the present invention for achieving the above object is an information processing apparatus for detecting falsification of information generated by a (k, n) threshold method,
When the secret information s is input, at least one of the two pieces of divided information composed of the secret information s_1 and the secret information s_2 is an element that is uniformly and randomly selected from the original set of the secret information s. A secret information dividing unit that divides the secret information s into the secret information s_1 and the secret information s_2;
A code generator for calculating the value of the function M (s_1, s_2) having the secret information s_1 and the secret information s_2 as inputs for the two-input function M ();
The (k-1) th order polynomial F in which the secret information s and the check data v are embedded is generated, and different x values x1 to xn are input to the (k-1) th order polynomial F. A code distribution unit that outputs (x1, F (x1)) to (xn, F (xn)), which are pairs of inputs and outputs, as distributed codeword information,
When (x1 ′, F_1 ′) to (xk ′, F_k ′) are input as k sets of distributed codeword information to be restored, (xk ′, F_k) from (x1 ′, F_1 ′) A code restoration unit that generates a (k-1) th order polynomial F 'passing through the point') and restores the secret information s' and the check data v 'embedded in the (k-1) th order polynomial F'; ,
When the secret information s′_1 and the secret information s′_2 obtained by dividing the secret information s ′ by the secret information dividing unit are received from the secret information dividing unit, the value of the function M (s′_1, s′_2) It is determined whether or not the check data v ′ is equal. When the value of the function M (s′_1, s′_2) and the check data v ′ are equal, the secret information s ′ has not been tampered with. A code verification unit that determines that the secret information s ′ has been tampered with when the value of the function M (s′_1, s′_2) is not equal to the check data v ′.

The code generation method of the present invention is a code generation method for detecting falsification of information generated by the (k, n) threshold method,
The secret information s to be encoded is such that at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is an element selected uniformly and randomly from the original set of the secret information s. Divided into the secret information s_1 and the secret information s_2,
For the two-input function M (), the value of the function M (s_1, s_2) having the secret information s_1 and the secret information s_2 as inputs is calculated as check data v.
The (k-1) th order polynomial F in which the secret information s and the check data v are embedded is generated, and different x values x1 to xn are input to the (k-1) th order polynomial F. (X1, F (x1)) to (xn, F (xn)), which are pairs of inputs and outputs, are output as distributed codeword information.

The code verification method of the present invention is a code verification method for detecting falsification of information generated by the (k, n) threshold method,
(K-1) is a set of input and output when x1 to xn, which are n values different from each other, are input to the (k-1) th order polynomial F (x1, F ( x1)) to (xn, F (xn)), (x1, F_1) to (x1, F_1) to (xk, F_k) of k sets of distributed codeword information to be restored To generate a (k−1) -degree polynomial F ′ that passes through the point (xk, F_k),
Restore the secret information s and the check data v embedded in the (k-1) degree polynomial F ′,
The secret information s is such that at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is an element selected uniformly and randomly from the original set of the secret information s. divided into s_1 and secret information s_2
For a two-input function M (), it is determined whether or not the value of the function M (s_1, s_2) and the check data v are equal, and the value of the function M (s_1, s_2) and the check data v are If they are equal, it is determined that the secret information s has not been tampered with, and if the value of the function M (s_1, s_2) and the check data v are not equal, it is determined that the secret information s has been tampered with. is there.

The program of the present invention is a program that is executed by a computer that generates a code for detecting falsification of information generated by the (k, n) threshold method,
When the secret information s to be encoded is input, an element in which at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is uniformly selected from the original set of the secret information s; The secret information s is divided into the secret information s_1 and the secret information s_2,
For the two-input function M (), the value of the function M (s_1, s_2) having the secret information s_1 and the secret information s_2 as inputs is calculated as check data v.
The (k-1) th order polynomial F in which the secret information s and the check data v are embedded is generated, and different x values x1 to xn are input to the (k-1) th order polynomial F. At this time, the computer executes the process of outputting (x1, F (x1)) to (xn, F (xn)), which are pairs of inputs and outputs, as distributed codeword information.

Furthermore, the program of the present invention is a program executed by a computer for verifying a code for detecting falsification of information generated by the (k, n) threshold method,
(K-1) is a set of input and output when x1 to xn, which are n values different from each other, are input to the (k-1) th order polynomial F (x1, F ( (x1, F_1) to (xk, F_k) of k sets of distributed codeword information to be restored among (x1)) to (xn, F (xn)) are input. F_1) to generate a (k−1) degree polynomial F ′ passing through the points (xk, F_k),
Restore the secret information s and the check data v embedded in the (k-1) degree polynomial F ′,
The secret information s is such that at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is an element selected uniformly and randomly from the original set of the secret information s. divided into s_1 and secret information s_2
For a two-input function M (), it is determined whether or not the value of the function M (s_1, s_2) and the check data v are equal, and the value of the function M (s_1, s_2) and the check data v are If they are equal, it is determined that the secret information s has not been tampered with, and if the value of the function M (s_1, s_2) and the check data v are not equal, processing for determining that the secret information s has been tampered with The computer is executed.

  According to the present invention, it is possible to detect the alteration of the distributed information by the (k, n) threshold method with high probability and efficiency, and to increase the degree of freedom of parameter setting.

It is a block diagram which shows the example of 1 structure of the information processing apparatus of this embodiment. It is a block diagram which shows the specific structural example of the information processing apparatus shown in FIG. It is a block diagram which shows one structural example of the code production | generation apparatus contained in the information processing apparatus of this embodiment. It is a block diagram which shows the example of 1 structure of the code verification apparatus contained in the information processing apparatus of this embodiment. It is a flowchart which shows the operation | movement procedure of the code generation apparatus shown to FIG. 3A. It is a flowchart which shows the operation | movement procedure of the code verification apparatus shown to FIG. 3B. It is a flowchart which shows the procedure which produces | generates shared information by this embodiment. It is a flowchart which shows the procedure which decompress | restores dispersion | distributed information by this embodiment. It is a block diagram which shows the example of 1 structure of the related shared information production | generation apparatus. It is a block diagram which shows one structural example of the related decompression | restoration apparatus. It is a flowchart which shows the operation | movement procedure of the shared information generation apparatus shown to FIG. 8A. It is a flowchart which shows the operation | movement procedure of the decompression | restoration apparatus shown to FIG. 8B. FIG. 10 is a block diagram illustrating a configuration example of a code generation device disclosed in Non-Patent Document 2 or Non-Patent Document 3. It is a block diagram which shows the example of 1 structure of the code verification apparatus disclosed by the nonpatent literature 2 or the nonpatent literature 3. FIG. FIG. 10 is a block diagram illustrating a configuration example of a code generation device disclosed in Non-Patent Document 4. FIG. 10 is a block diagram illustrating a configuration example of a code verification device disclosed in Non-Patent Document 4.

  This embodiment will be described in detail with reference to the drawings. FIG. 1 is a block diagram illustrating a configuration example of the information processing apparatus according to the present embodiment.

  As illustrated in FIG. 1, the information processing apparatus 10 according to the present embodiment includes a storage unit 35 and a control unit 25. The control unit 25 includes a code distribution unit 702, a falsification detection code generation unit 100, a falsification detection code verification unit 200, a code restoration unit 801, and a secret information division unit 501 described later.

  FIG. 2 is a block diagram illustrating a specific configuration example of the information processing apparatus illustrated in FIG.

  As shown in FIG. 2, a CPU (Central Processing Unit) 11 that executes processing according to a program, a RAM (Random Access Memory) 13 for temporarily storing information to be supplied to the CPU 11 and information on arithmetic processing steps, Data transfer between each storage area of the storage unit 35, the main storage unit 12 in which the program is stored in advance, the data storage unit 14 in which information necessary for calculation processing such as secret information, threshold value, and number of distributed information is stored A memory control interface unit 15 for controlling the operation, an input unit 20 for inputting information, an output unit 30 for outputting calculation results, and an input / output control for the input unit 20 and the output unit 30 And an interface unit 16. These components are connected via a bus 18.

  In the program, processing procedures for causing the CPU 11 to execute the functions of the code distribution unit 702, the falsification detection code generation unit 100, the falsification detection code verification unit 200, the code restoration unit 801, and the secret information division unit 501 are written. . When the CPU 11 executes the program, the code distribution unit 702, the falsification detection code generation unit 100, the falsification detection code verification unit 200, the code restoration unit 801, and the secret information division unit 501 are virtually configured in the information processing apparatus 10. The

  Note that a processing procedure for causing the CPU 11 to execute the functions of the secret information encoding unit 301, the secret information decoding unit 401, and the decoding result determination unit 402 may be written in the program.

  Note that the data storage unit 14 may not be provided in the information processing apparatus 10, and may be provided separately from the information processing apparatus 10. The data storage unit 14 may be a storage device 900 having a storage unit 901.

  Further, a storage medium storing programs and data necessary for arithmetic processing may be attached to the input unit 20 and the information may be input to the information processing apparatus 10 via the input unit 20. Examples of the storage medium include a magnetic disk, a semiconductor memory, and an optical disk, but may be other recording media.

  Next, focusing on the generation and verification of the code corresponding to the check data, the information alteration detection method executed by the information processing apparatus 10 shown in FIG. 1 will be described. The secret information to be processed in the present embodiment is, for example, a prime number that serves as a secret key for document encryption. In this case, the original set of secret information is a set of prime numbers. Further, here, the information processing apparatus 10 will be described as being divided into two apparatuses, a code generation apparatus that performs code generation processing and a code verification apparatus that performs code verification processing.

  FIG. 3A is a block diagram illustrating a configuration example of a code generation device included in the information processing apparatus of the present embodiment. FIG. 3B is a block diagram illustrating a configuration example of a code verification apparatus included in the information processing apparatus according to the present embodiment. The information processing apparatus 10 according to the present embodiment includes a code generation device 500 and a code verification device 600.

  As illustrated in FIG. 3A, the code generation device 500 includes a secret information division unit 501 and a falsification detection code generation unit 100. Since the falsification detection code generation unit 100 has the same function as the falsification detection code generation device 100 described above, the same reference numerals are used. The falsification detection code generation unit 100 has the same configuration as that of the falsification detection code generation device 100, and thus a detailed description thereof is omitted here.

  When the secret information s that is the source of the secret information data set S is input, the code generation device 500 outputs the source of the check data set C, which is the output of the falsification detection code generation unit, and is also input S is output.

  When s that is the source of S is input, the secret information dividing unit 501 converts the secret information s ′ that is the source of the secret information data set S ′ and the r ′ that is the source of the random number data set R into a falsification detection code. Output to the generation unit 100. Upon receiving s ′ and r ′ from the secret information dividing unit 501, the falsification detection code generation unit 100 generates c, which is an element of the check data set C, using s ′ and r ′, and outputs the generated c To do.

  Next, the code verification device 600 will be described.

  As illustrated in FIG. 3B, the code verification device 600 includes the secret information division unit 501 and the falsification detection code verification unit 200 described above. The falsification detection code verification unit 200 has the same function as the falsification detection code verification device 200 described above, and therefore the same reference numerals are used. The falsification detection code verification unit 200 has the same configuration as that of the falsification detection code verification apparatus 200, and thus detailed description thereof is omitted here.

  When the secret information s to be restored and the source c of the check data set C extracted from the secret information to be restored are input, the code verification device 600 outputs s and the alteration detection code verification unit 200. The verification result is output, and the input s is output.

  The secret information dividing unit 501 includes the secret information that is output, the secret information that is output from the tamper detection code generation unit for uniform random numbers, and the secret information data set S ′ that is the input to the tamper detection code generation unit for uniform random numbers. It is assumed that the original secret information s ′ and r ′ that is the source of the random number data set R that is the input of the falsification detection code generation unit for the secret information and the uniform random number.

  When s ′, r ′, and c are input, the falsification detection code verification unit 200 performs verification processing using these pieces of information and outputs a verification result.

  Next, the operation procedure of the code generation device 500 will be described with reference to the flowchart of FIG.

  The source s of the secret information data set S is input to the code generation device 500 (step C1). When the secret information s is input, the secret information dividing unit 501 generates secret information s ′ that is the source of the secret information data set S ′ and r ′ that is the source of the random number data set R, and s ′ And r ′ are output to the falsification detection code generation unit 100 (step C2).

  When the secret information s ′ that is the source of the secret information data set S ′ and the r ′ that is the source of the random number data set R are input, the falsification detection code generation unit 100 uses them to check the data set for checking Generate c, which is an element of C, and output the generated c (step C3).

  Although detailed description is omitted here, the check data c generated in step C3 is embedded in the shared information.

  Next, the operation procedure of the code verification device 600 will be described with reference to the flowchart of FIG.

  The source s of the secret information data set S to be restored and c, the source of the check data set C extracted from the secret information, are input to the code verification device 600 (step D1). When s is input, the secret information dividing unit 501 uses s to generate secret information s ′ that is the source of the secret information data set S ′ and r ′ that is the source of the random number data set R. , S ′ and r ′ are output to the falsification detection code verification unit 200 (step D2).

  The tampering detection code verification unit 200 receives s ′ and r ′ from the secret information division unit 501, and when c ′ is input, performs verification processing using these pieces of information and outputs a verification result (step D3). . When the value calculated using s ′ and r ′ matches c ′, the tampering detection code verification unit 200 determines that the information has not been tampered with, and the values do not match It is determined that the information has been tampered with.

  So far, the description has focused on the code of the check data, but a processing method when the check data is embedded in the distributed information will be described.

  Here, the code distribution unit 702 includes a distributed codeword generation unit (not shown), the code restoration unit 801 includes a codeword restoration unit (not shown), and the falsification detection code verification unit 200 includes a codeword verification unit (not shown). ). These configurations are also virtually configured by the CPU 11 executing the program.

  First, a procedure for generating distributed information by performing distributed encoding processing on secret information will be described. FIG. 6 is a flowchart illustrating a procedure for generating shared information according to the present embodiment.

  As shown in FIG. 6, the secret information dividing unit 501 performs a process of dividing the secret information s into two, that is, secret information s_1 and secret information s_2 (step E1). At that time, the secret information dividing unit 501 makes at least one of the two pieces of divided information composed of the secret information s_1 and the secret information s_2 an element that is uniformly and randomly selected from the original set of the secret information s. . Subsequently, the falsification detection code generation unit 100 calculates the check data v as an output of a two-input function M () that receives the secret information s_1 and the secret information s_2 (step E2).

  Thereafter, the distributed codeword generation unit (not shown) generates a (k−1) -degree polynomial F in which the secret information s and the check data v are embedded, and sets n different values x1 to xn to the polynomial F. (X1, F (x1)) to (xn, F (xn)), which are pairs of input and output when input, are generated as distributed codeword information, and the distributed codeword information is output (step E3) .

  Next, a procedure for determining whether or not the information to be restored has been falsified will be described. FIG. 7 is a flowchart showing a procedure for restoring the shared information according to the present embodiment.

  When (x1 ′, F_1 ′) to (xk ′, F_k ′) are input as k sets of distributed codeword information, the codeword restoration unit (not shown) passes through these points (k−1). A next-order polynomial F ′ is generated, and secret information s ′ and check data v ′ embedded in the polynomial F ′ are read and output (step F1). When s ′ is input, the secret information dividing unit 501 divides s ′ into s′_1 and s′_2 (step F2).

  A codeword verification unit (not shown) determines whether M (s′_1, s′_2) and v ′ are equal. As a result, when M (s′_1, s′_2) and v ′ are equal, the codeword verification unit (not shown) outputs a verification result indicating that the information has not been tampered with, and M (s′_1, If s ′ — 2) and v ′ are not equal, a verification result indicating that the information has been tampered with is output (step F3).

  In the present embodiment, when the secret information s is divided into two pieces of information s2_1 and s2_2 in the code generation method, the random number element s2_2 is an element that is uniformly and randomly selected from the set from which the random number R is selected. These are divided, s2_1 is s, s2_2 is r, and they are input to a certain function M (), and the output is code.

  In this way, when the addition on the set of secret information, the set of random numbers selected, and the set of codes is expressed as +, s1 and c1 = M (s1, r1) are expressed for the secret information s1 and the random number r1. It is possible to detect with high probability that a given falsifier generates s1 ', r1', c1 'that satisfies M (s1 + s1', r1 + r1 ') = M (s1, r1) + c1' It has become.

  Then, due to the randomness of s2_2 and the nature of M (), a tamper who cannot be given s2_1, s2_2 will be M (s2_1 + s2_1 ', s2_2 + s2_2') = M (s2_1, s2_2) + c ' It is difficult to generate s2_1 ′, s2_2 ′, and c ′.

  Furthermore, in this embodiment, since the size of the secret information s that is the source of the secret information data set S and the size of r that is the source of the random number data set R can be set independently, the parameters can be set freely. Therefore, it is possible to detect the alteration of the distributed information by the (k, n) threshold method with high probability and efficiently, and to increase the degree of freedom of parameter setting.

  In this example, the method of Non-Patent Document 3 is applied to the above-described embodiment. In this example, a case where the method of Non-Patent Document 3 is applied will be described. However, another method may be applied to the function M () of the information alteration detection method of the above-described embodiment.

  As described in the background art section, the method of Non-Patent Document 3 is as follows.

  The method disclosed in Non-Patent Document 3 is a method in which p is a prime number, N is a positive integer, and (Z / pZ) ^ N is a set of secret information. The element of (Z / pZ) ^ N is written as s or (s_1, s_2, ..., s_N). In addition, Galois field GF (p ^ N) may be used instead of (Z / pZ) ^ N.

  At this time, as a code of (s_1, s_2,..., S_N), if s and an element r uniformly selected from Z / pZ are set, and * is a multiplication on Z / pZ, s_1 * r + s_2 * r ^ 2 + ... + s_ {N-1} * r ^ {N-1} + s_ {N} * r ^ {N + 1} mod p is used as check data.

  When q is a power of a prime number instead of Z / pZ, each set may be an element of a Galois field GF (q), and multiplication may be multiplication on the Galois field.

  Next, the operation procedure of the present embodiment will be described with reference to FIGS. 3A and 3B.

  First, the code generation method will be described. The case where (s1, s2, ..., s {N + 1}), which is an element of (Z / pZ) ^ {N + 1}, is input to the code generation device 500 as an example of secret information s To do.

  The code generation device 500 inputs s = (s1, s2,..., S {N + 1}) to the secret information dividing unit 501. Note that each si is a value uniformly selected at random.

  The secret information dividing unit 501 divides s into S ′ = (s1, s2,..., SN) and R ′ = s {N + 1} and outputs the result. Here, s {N + 1} is simply set as R ′, but any value from s1 to sN may be used.

  Subsequently, when S ′ and R ′ are input, the falsification detection code generation unit 100 receives s1 * s {N + 1} + s2 * s {N + 1} ^ 2 + ... + s {N− 1} * s {N + 1} ^ {N-1} + s_ {N} * s {N + 1} ^ {N + 1} mod p = C. The code generation device 500 outputs s and c.

  Next, a code verification method will be described.

  S '= (s1', s2 ', ..., s {N + 1}') which is an element of (Z / pZ) ^ {N + 1} is input to the code verification device 600 as secret information s A case where c ′ is input as the check data will be described as an example.

  The code verification device 600 inputs s ′ = (s1 ′, s2 ′,..., S {N + 1} ′) to the secret information dividing unit 501. When s ′ is input, the secret information dividing apparatus 501 divides s ′ into S ′ = (s1 ′, s2 ′,..., SN ′) and R ′ = s {N + 1} ′. Output. Here, s {N + 1} is simply R ′, but any value from s1 to sN may be used.

  Subsequently, the code verification device 600 inputs s ′, r ′, and c ′ to the falsification detection code verification unit 200. When s ′, r ′, and c ′ are input, the falsification detection code verification unit 200 receives s1 ′ * s {N + 1} ′ + s2 ′ * s {N + 1} ′ ^ 2 + ... + s {N-1} '* s {N + 1}' ^ {N-1} + s {N} '* s {N + 1}' ^ {N + 1} mod p Compare with c '. The tampering detection code verification unit 200 outputs a symbol indicating that no tampering has occurred when these values are equal as a result of the comparison. In other cases, a symbol indicating that alteration has occurred is output. The code verification device 600 outputs the input s ′ and the output result of the falsification detection code verification device 200.

  Here, when the processing contents of the code generation device 500 are viewed in detail, s = (s1, s2, ..., s {N + 1}) and c = s1 * s {N + 1} + s2 * s { N + 1} ^ 2 + ... + s {N-1} * s {N + 1} ^ {N-1} + s_ {N} * s {N + 1} ^ {N + 1} mod p (S1, s2, ..., s {N + 1}, c) is a code.

  For this code, d1, d2, ... such that the verification result of (s1 + d1, s2 + d2, ..., s {N + 1} + d {N + 1}, c + dc) is correct. , d {N + 1}, dc is generated by using s = (s1, s2,... s {N}) as secret information s {N + 1} as a random number in the method of Non-Patent Document 3. S = {s1 + d1, ..., sN + dN} as secret information, s {N + 1} + d {N + 1} as a random number, and c + dc (D1, d2,..., D {N + 1}, dc) is generated as the verification result when no data has been altered.

  Therefore, the tampering detection probability is kept at a high value by the safety of the method disclosed in Non-Patent Document 3.

  In this method, the size of the set from which s {N + 1} is selected is the size of the set from which random numbers are selected in Non-Patent Document 3. The size of the selected set of random numbers is related to the success probability of falsification detection. Therefore, it is possible to adjust the code length and the success probability of falsification by adjusting the size of the set from which s {N + 1} is selected. You can see that it is flexible.

  In the method of Non-Patent Document 4, if the size of the set of secret information selected is | S | and the success probability of alteration by a tamper is δ, the code set size is approximately | It was.

  On the other hand, in the above-described method, due to the nature of the method according to Non-Patent Document 3, if the size of the set from which s {N + 1} is selected is | s {N + 1} |, approximately 1 / | s {N + 1 } | Is the success probability of falsification. Since | s {N + 1} | is approximately equal to the size of the check data, it can be seen that the size of the code set of this method is approximately | S | / δ.

  That is, in the method of the present embodiment, the number of elements in the secret information set is s * r, and the probability of falsification is about 1 / r. At this time, the number of elements in the set of codes is approximately r, and it can be seen that the calculation efficiency is comparable to that of the method of Non-Patent Document 4.

  Furthermore, since the sizes of s and r in Non-Patent Document 4 can be set almost independently according to the nature of the method in Non-Patent Document 3, parameters can be freely set. Therefore, the parameter can be freely set by using the technique disclosed in Non-Patent Document 3 as M () while having the same efficiency as the method described in Non-Patent Document 4.

  The present invention can be used for distributed management of confidential information such as a secret key.

10 Information processing apparatus 11 CPU
12 Main memory 13 RAM
DESCRIPTION OF SYMBOLS 14 Data storage part 15 Memory control interface part 16 I / O interface part 20 Input part 25 Control part 30 Output part 35 Storage part 101 Check data generation part 201 Identity determination part 501 Secret information division part 701 Code generation part 702 Code distribution unit 801 Code restoration unit 802 Code validity verification unit

Claims (9)

An information processing apparatus that detects falsification of information generated by a (k, n) threshold method,
When the secret information s is input, at least one of the two pieces of divided information composed of the secret information s_1 and the secret information s_2 is an element that is uniformly and randomly selected from the original set of the secret information s. A secret information dividing unit that divides the secret information s into the secret information s_1 and the secret information s_2;
A code generator for calculating the value of the function M (s_1, s_2) having the secret information s_1 and the secret information s_2 as inputs for the two-input function M ();
The (k-1) th order polynomial F in which the secret information s and the check data v are embedded is generated, and different x values x1 to xn are input to the (k-1) th order polynomial F. A code distribution unit that outputs (x1, F (x1)) to (xn, F (xn)), which are pairs of inputs and outputs, as distributed codeword information,
When (x1 ′, F_1 ′) to (xk ′, F_k ′) are input as k sets of distributed codeword information to be restored, (xk ′, F_k) from (x1 ′, F_1 ′) A code restoration unit that generates a (k-1) th order polynomial F 'passing through the point') and restores the secret information s' and the check data v 'embedded in the (k-1) th order polynomial F'; ,
When the secret information s′_1 and the secret information s′_2 obtained by dividing the secret information s ′ by the secret information dividing unit are received from the secret information dividing unit, the value of the function M (s′_1, s′_2) It is determined whether or not the check data v ′ is equal. If the value of the function M (s′_1, s′_2) and the check data v ′ are equal, the secret information s ′ has not been tampered with. A code verification unit that determines that the secret information s ′ has been tampered with when the value of the function M (s′_1, s′_2) and the check data v ′ are not equal;
An information processing apparatus. Let p be a prime number, N be a positive integer, (Z / pZ) ^ {N + 1} be a set of secret information s, and (Z / pZ) ^ {N + 1} elements be (x_1, x_2, ..., x_ {N + 1}), and * is multiplication on Z / pZ,
The secret information dividing unit
One value is selected from the elements x_1, x_2,..., X_ {N + 1}, and the value is set as secret information s_2, and secret information s_1 = (x'_1, x) other than the selected value. '_2, ..., x' _ {N}), M (s_1, s_2) = x'_1 * s_2 + x'_2 * s_2 ^ 2 + ... + x '_ {N-1} The information processing apparatus according to claim 1, wherein * s_2 ^ {N-1} + x '_ {N} * s_2 ^ {N + 1} mod p is calculated and the calculation result is the check data v. A code generation method for detecting falsification of information generated by a (k, n) threshold method,
The secret information s to be encoded is such that at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is an element selected uniformly and randomly from the original set of the secret information s. Divided into the secret information s_1 and the secret information s_2,
For the two-input function M (), the value of the function M (s_1, s_2) having the secret information s_1 and the secret information s_2 as inputs is calculated as check data v.
The (k-1) th order polynomial F in which the secret information s and the check data v are embedded is generated, and different x values x1 to xn are input to the (k-1) th order polynomial F. A code generation method for outputting (x1, F (x1)) to (xn, F (xn)), which are pairs of inputs and outputs, as distributed codeword information. Let p be a prime number, N be a positive integer, (Z / pZ) ^ {N + 1} be a set of secret information s, and (Z / pZ) ^ {N + 1} elements be (x_1, x_2, ..., x_ {N + 1}), and * is multiplication on Z / pZ,
One value is selected from the elements x_1, x_2,..., X_ {N + 1}, and the value is set as secret information s_2, and secret information s_1 = (x'_1, x) other than the selected value. '_2, ..., x' _ {N}), M (s_1, s_2) = x'_1 * s_2 + x'_2 * s_2 ^ 2 + ... + x '_ {N-1} The code generation method according to claim 3, wherein * s_2 ^ {N-1} + x '_ {N} * s_2 ^ {N + 1} mod p is calculated and the calculation result is used as the check data v. A code verification method for detecting falsification of information generated by a (k, n) threshold method,
(K-1) is a set of input and output when x1 to xn, which are n values different from each other, are input to the (k-1) th order polynomial F (x1, F ( x1)) to (xn, F (xn)), (x1, F_1) to (x1, F_1) to (xk, F_k) of k sets of distributed codeword information to be restored To generate a (k−1) -degree polynomial F ′ that passes through the point (xk, F_k),
Restore the secret information s and the check data v embedded in the (k-1) degree polynomial F ′,
The secret information s is such that at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is an element selected uniformly and randomly from the original set of the secret information s. divided into s_1 and secret information s_2
For a two-input function M (), it is determined whether or not the value of the function M (s_1, s_2) and the check data v are equal, and the value of the function M (s_1, s_2) and the check data v are A code that determines that the secret information s has not been tampered with, and if the value of the function M (s_1, s_2) and the check data v are not equal, the secret information s is determined to have been tampered with. Method of verification. Let p be a prime number, N be a positive integer, (Z / pZ) ^ {N + 1} be a set of secret information s, and (Z / pZ) ^ {N + 1} elements be (x_1, x_2, ..., x_ {N + 1}), and * is multiplication on Z / pZ,
One value is selected from the elements x_1, x_2,..., X_ {N + 1}, and the value is set as secret information s_2, and secret information s_1 = (x'_1, x) other than the selected value. '_2, ..., x' _ {N}), M (s_1, s_2) = x'_1 * s_2 + x'_2 * s_2 ^ 2 + ... + x '_ {N-1} The code verification method according to claim 5, wherein * s_2 ^ {N-1} + x '_ {N} * s_2 ^ {N + 1} mod p is calculated and the calculation result is used as the check data v. (k, n) A program for causing a computer to generate code for detecting falsification of information generated by the threshold method,
When the secret information s to be encoded is input, an element in which at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is uniformly selected from the original set of the secret information s; The secret information s is divided into the secret information s_1 and the secret information s_2,
For the two-input function M (), the value of the function M (s_1, s_2) having the secret information s_1 and the secret information s_2 as inputs is calculated as check data v.
The (k-1) th order polynomial F in which the secret information s and the check data v are embedded is generated, and different x values x1 to xn are input to the (k-1) th order polynomial F. A program for causing the computer to execute a process of outputting (x1, F (x1)) to (xn, F (xn)), which are pairs of inputs and outputs, as distributed codeword information. (k, n) A program for causing a computer to verify code for detecting falsification of information generated by the threshold method,
(K-1) is a set of input and output when x1 to xn, which are n values different from each other, are input to the (k-1) th order polynomial F (x1, F ( (x1, F_1) to (xk, F_k) of k sets of distributed codeword information to be restored among (x1)) to (xn, F (xn)) are input. F_1) to generate a (k−1) degree polynomial F ′ passing through the points (xk, F_k),
Restore the secret information s and the check data v embedded in the (k-1) degree polynomial F ′,
The secret information s is such that at least one of the two pieces of divided information consisting of the secret information s_1 and the secret information s_2 is an element selected uniformly and randomly from the original set of the secret information s. divided into s_1 and secret information s_2
For a two-input function M (), it is determined whether or not the value of the function M (s_1, s_2) and the check data v are equal, and the value of the function M (s_1, s_2) and the check data v are If they are equal, it is determined that the secret information s has not been tampered with, and if the value of the function M (s_1, s_2) and the check data v are not equal, processing for determining that the secret information s has been tampered with A program for causing the computer to execute. Let p be a prime number, N be a positive integer, (Z / pZ) ^ {N + 1} be a set of secret information s, and (Z / pZ) ^ {N + 1} elements be (x_1, x_2, ..., x_ {N + 1}), and * is multiplication on Z / pZ,
One value is selected from the elements x_1, x_2,..., X_ {N + 1}, and the value is set as secret information s_2, and secret information s_1 = (x'_1, x) other than the selected value. '_2, ..., x' _ {N}), M (s_1, s_2) = x'_1 * s_2 + x'_2 * s_2 ^ 2 + ... + x '_ {N-1} The program according to claim 7 or 8, wherein * s_2 ^ {N-1} + x '_ {N} * s_2 ^ {N + 1} mod p is calculated and the calculation result is the check data v.

Images