JP2015022098A - Decryption system, terminal device, signature system, method therefor, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a decryption system capable of acquiring decrypted text without calculating true secrete information aand not by gathering K pieces of secrete information.SOLUTION: The decryption system includes a terminal device and N proxy calculation devices n. The proxy computing devices n include a storage unit in which dispersed secrete information f(j) and a calculation unit for finding a value f(j)τ by using information τ corresponding to cipher text and the dispersed secrete information f(j). The terminal device includes a request unit for requesting the proxy computing devices n to find the value f(j)τ from the information τ corresponding to cipher text, and a decryption unit for finding information aτ corresponding to the cipher text by using K values f(j)τ, k=1, 2, etc., to K, jbeing one of j,j, etc., to jdiffering for each k.

Description

  The present invention relates to a decryption system using a secret sharing method, a terminal device used in the decryption system, a signature system using a secret sharing method, a terminal device used in the signature system, a method thereof, and a program.

  As a decryption method using the secret sharing method, Non-Patent Document 1 is known as a prior art.

In the Secret Sharing method, polynomial
f (x) = a _K-1 x ^K-1 +… + a ₁ x ¹ + a ₀ (1)
Using, instead of storing the true secret information _{a 0, f (1),} f (2), ..., as the secret information that is dispersed the value of f (N), stores the plurality of devices.

In the (K, N) threshold secret sharing method, if any K different pieces of secret information f (n _k ) out of N pieces of distributed secret information f (n) are collected, the true secret information a ₀ can be obtained. On the other hand, with any different K−1 pieces of secret information f (n _{k ′} ), no information can be obtained regarding the true secret information a ₀ . Here, N is an integer greater than or equal to 2, K is an integer greater than or equal to 1 and less than or equal to N, n = 1,2, ..., N, k = 1,2, ..., K, k '= 1,2, ..., K- 1, n _k and n _{k ′} are values of 1, 2,..., N corresponding to k and k ′, respectively.

By storing secret information f (n) distributed by a plurality of devices, even if K-1 pieces of secret information f (n) are stolen, the true secret information a ₀ does not leak, Even if NK pieces of secret information f (n) distributed are lost or destroyed, the true secret information a ₀ can be restored.

Okamoto Tatsuaki and Yamamoto Hiroshi, `` Contemporary Cryptography '', 1997, Industrial Books, pp209-218.

However, in the conventional art, the thus collected once the K secret information f (n _k), since she can calculate the true secret information a _0, reliably after using the true secret information a ₀ Clear There is a possibility of information leakage if erasure fails.

A first aspect of the present invention provides a decryption system capable of obtaining a decrypted text without calculating true secret information a ₀ , a terminal device used in the decryption system, a method thereof, and a program With the goal.

Also, another aspect of the present invention provides a signature system that can generate an electronic signature without calculating true secret information a ₀ , a terminal device used in the signature system, a method thereof, and a program For the purpose.

In order to solve the above problem, according to the first aspect of the present invention, the decoding system is configured such that N is an integer greater than or equal to 2, n = 1,..., N, a terminal device, and N proxy calculations Device n. K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer greater than or equal to 1 different for each _n , f (j _n ) is distributed secret information, and the proxy computing device n is a storage unit for storing the distributed secret information f (j _n ) And a calculation unit for obtaining the value f (j _n ) τ using the information τ corresponding to the ciphertext and the distributed secret information f (j _n ). Terminal apparatus includes a request unit that requests the proxy computing device n to seek from the information corresponding to the ciphertext tau value _{f (j n) τ, k} = 1,2, ..., K, the j _k k different j _1, j ₂ for each, ..., and any value of j _N, with K values f (j _k) τ, a decoding unit for obtaining the information a ₀ tau corresponding to the decrypted text, the Including.

In order to solve the above-described problem, according to another aspect of the present invention, the signature system is configured such that N is an integer greater than or equal to 2, n = 1,..., N, a terminal device, and N proxy computing devices n. K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer greater than or equal to 1 different for each _n , f (j _n ) is distributed secret information, and the proxy computing device n is a storage unit for storing the distributed secret information f (j _n ) And a calculation unit for obtaining the value f (j _n ) τ using the information τ corresponding to the plaintext and the distributed secret information f (j _n ). The terminal device requests the proxy computing device n to obtain the value f (j _n ) τ from the information τ corresponding to the plaintext, and k = 1, 2,..., K, j _k for each k different j _1, j _2, the ..., and any value of j _N, with K values f (j _k) τ, a signature generation unit for obtaining the information a ₀ tau corresponding to the electronic signature, the Including.

According to the present invention, information leakage due to true secret information a ₀ can be prevented.

The figure which shows the structural example of the decoding system which concerns on 1st embodiment. The figure which shows the processing flow of the decoding system 1 which concerns on 1st embodiment. The functional block diagram of the terminal device which concerns on 1st embodiment. Functional block diagram of the proxy computing device according to the first embodiment The figure which shows the structural example of the decoding system which concerns on 2nd embodiment. The figure which shows the structural example of the decoding system which concerns on 3rd embodiment. The figure which shows the processing flow of the decoding system 1 which concerns on 3rd embodiment. The functional block diagram of the terminal device which concerns on 3rd embodiment. The figure which shows the structural example of the electronic signature system which concerns on 4th embodiment. The figure which shows the processing flow of the electronic signature system which concerns on 4th embodiment. The functional block diagram of the terminal device which concerns on 4th embodiment.

  Hereinafter, embodiments of the present invention will be described. In the drawings used for the following description, constituent parts having the same function and steps for performing the same process are denoted by the same reference numerals, and redundant description is omitted.

<First embodiment>
A decoding system 1 according to the first embodiment will be described with reference to FIGS. 1 and 2. FIG. 1 shows a configuration example of a decoding system 1 according to the first embodiment, and FIG. 2 shows a processing flow thereof.

  The decryption system 1 includes a terminal device 11 and N proxy computing devices 12-n. These are configured to be able to communicate through a network. However, N is an integer greater than or equal to 2, n = 1, ..., N.

Here, K is an integer from 1 to N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true Secret information, j _n is an integer of 1 or more different for each n, and f (j _n ) is distributed secret information. 'It can determine the information a ₀ tau corresponding to, decrypted text M' decrypted text M by using the information corresponding to the ciphertext C of the plaintext M tau and the true secret information a ₀ information a ₀ tau corresponding to It is assumed that the decrypted text M ′ can be obtained from Here, operations defined by groups are expressed additively. That is, G is a cyclic group, and “αb” for α∈G means that the operation defined in group G is applied to α for b times.

  As illustrated in FIG. 3, the terminal device 11 includes a request unit 111, a decryption unit 112, and a storage unit 113. The proxy computing device 12-n is a device that is safely managed, and includes a storage unit 122 and a computing unit 121, as shown in FIG. 3 and 4 show functional block diagrams of the terminal device 11 and the proxy computing device 12-n, respectively.

  The terminal device 11 and the proxy computing device 12-n include a router device, a server device, a mobile phone, an IC card, and other devices having a calculation function and a storage function, a CPU (central processing unit) loaded with a special program, It is a known or dedicated computer equipped with RAM (random-access memory).

<Pre-processing>
For example, a distribution device (public key server) (not shown) generates a public key y and a private key d corresponding to the public key y, and publishes the public key y. As public key cryptosystems, ElGamal cryptosystem, elliptic ElGamal cryptosystem, RSA cryptosystem, Pailler cryptosystem, and the like are conceivable. Further, the distribution device selects a random (K-1) degree polynomial having the secret key d as the true secret information a ₀ and a ₀ as the constant term,
f (x) = a _(K-1) x ^(K-1) +… + a ₁ x + a ₀ (1)
And distribute the secret information f (j _n ) distributed to the proxy computing device 12-n. Further, the distribution device may delete the true secret information a ₀ after distributing the distributed secret information f (j _n ).

The proxy computing device 12-n receives the distributed secret information f (j _n ) and stores the distributed secret information f (j _n ) in the storage unit 122.

  A terminal device (not shown) encrypts the plaintext M using the public key y using the public key encryption method, generates a ciphertext C = Enc (y, M), and transmits the ciphertext C to the terminal device 11. .

  The terminal device 11 receives the ciphertext C and stores the ciphertext C in the storage unit 113.

<Decryption process>
The request unit 111 of the terminal device 11 requests the proxy computing device 12-n to obtain the value f (j _n ) τ from the information τ corresponding to the ciphertext C (s1). For example, the information τ corresponding to the ciphertext and the calculation request information (information described so as to obtain the value f (j _n ) τ) are transmitted to the N proxy computing devices 12-n via the network. Note that it is not always necessary to transmit to N proxy computing devices 12-n, and it is sufficient to transmit to at least K proxy computing devices 12-n.

Upon receiving the information τ corresponding to the ciphertext C, the calculation unit 121 of the proxy computer 12-n reads the secret information f (j _n ) distributed from the storage unit 122, and the information τ corresponding to the ciphertext C Using the distributed secret information f (j _n ), a value f (j _n ) τ is obtained (s 2) and transmitted to the terminal device 11.

When receiving the K values f (j _k ) τ, the decryption unit 112 of the terminal device 11 obtains information a ₀ τ corresponding to the decrypted text M ′ using the K values f (j _k ) τ. (S3). Here, k = 1,2, ..., K , j k varies from _{k j 1, j 2, ...} , is any value of j _n. For example, the information a ₀ τ corresponding to the decrypted text M ′ is obtained by multiplying K values f (j _k ) τ by a constant and adding them. Further, the decryption unit 112 acquires the decrypted text M ′ from the information a ₀ τ corresponding to the decrypted text M ′, and outputs it from an output unit such as a display. Note that the information a ₀ τ corresponding to the decrypted text M ′ can be obtained even if up to NK pieces of secret information f (n) are lost or destroyed. Hereinafter, examples of K = 2 and K = 3 are shown. For easy understanding, in this example, j _n = j _k = n.

<When K = 2>
For example, when K = 2 and f (x) = a ₁ x + a ₀ , since the relationship of a ₀ = 2f (1) + f (2) is established (see Expression (1)), the request from the terminal device 11 The unit 111 requests the proxy calculation devices 12-1 and 12-2 to calculate f (1) τ and f (2) τ, respectively. Upon receiving f (1) τ and f (2) τ, the decryption unit 112 of the terminal device 11 obtains information a ₀ τ corresponding to the decrypted text M ′ by the following equation.
a ₀ τ = 2f (1) τ + f (2) τ

With such a configuration, if the discrete logarithm problem is a difficult group, the terminal device 11 knows the true secret information a ₀ even after knowing the information a ₀ τ corresponding to the decrypted text M ′. It is not possible. Therefore, the terminal device 11 cannot obtain the information a ₀ τ ′ corresponding to the decrypted text M ′ from the information τ ′ corresponding to the cipher text C ′ unrelated to the cipher text C. This is different from the conventional secret sharing method.

<When K = 3>
For example, when K = 3 and f (x) = a ₂ x ² + a ₁ x + a ₀ , the relationship of a ₀ = f (3) -2f (2) + f (1) holds ( (See equation (1)), the request unit 111 of the terminal device 11 sends f (1) τ, f (2) τ, and f (3) τ to the proxy computing devices 12-1, 12-2, and 12-3, respectively. Request a calculation. Upon receiving f (1) τ, f (2) τ, and f (3) τ, the decryption unit 112 of the terminal device 11 obtains information a ₀ τ corresponding to the decrypted text M ′ by the following equation.
a ₀ τ = f (3) τ-2f (2) τ + f (1) τ

  Hereinafter, public key cryptosystems using RSA encryption, ElGamal encryption, and elliptic ElGamal encryption will be described.

(About public key cryptography using RSA cryptography)
An example of a public key cryptosystem using RSA cryptography will be described. First, let t be a security parameter. Let p, q (p ≠ q) be a t / 2-bit prime number, and m = pq. e is a positive integer less than φ (m), which is relatively prime with φ (m), d (= a ₀ ) is the inverse of e modulo φ (m) (de≡1 (modφ ( m))). Here, φ (m) is an Euler function of m, and in this case, is equal to (p−1) (q−1). A set of integers greater than or equal to 0 and less than _m is represented by Z _m . The M to the original plaintext space Z _m.

  In the public key cryptosystem using RSA cryptography, the public key y = (e, m).

A terminal device (not shown) encrypts the plaintext M by the following equation using the public key y = (e, m).
C = M ^e mod m
Here, the operation defined by the group is expressed in a multiplicative manner. That is, G is a group, and “α ^b ” for α∈G means that the operation defined in group G is applied to α b times. The information τ corresponding to the ciphertext C is the ciphertext C itself (τ = C), the information a ₀ τ corresponding to the decrypted text M ′ is C a — ⁰ , and the decrypted text M ′ is expressed by the following equation.
M '= C ^a_0 mod m
In addition, the superscript a_0 means a _0.

The terminal device 11 transmits the ciphertext C and the calculation request information (information described so as to obtain the value C ^{f (n)} ) to the N proxy calculation devices 12-n.

The proxy computing device 12-n obtains a value C ^{f (n)} and transmits it to the terminal device 11.

The terminal device 11 obtains the decrypted text M ′ = C ^{f (0)} mod m using the public key y = (m, e) and the K values C ^{f (k)} .

For example, when K = 2 and f (x) = a ₁ x + a ₀ , the relationship of a ₀ = 2f (1) + f (2) holds, so C ^{f (1)} and C ^{f (2)} are The decrypted text M ′ = C a — ⁰ mod m can be obtained by the following equation.
M '= C ^a_0 mod m = C ^{2f (1) + f (2)} mod m

(About public key cryptosystem using ElGamal cipher)
An example of a public key cryptosystem using ElGamal will be described. Let t be the security parameter. Select a cyclic group G in which the order q is a prime number and the number of bits of q is t. Select G generator g. x (= a ₀ ) is randomly selected from {0, ..., q-1}. Let h = g ^x . The plaintext space is G, and M is an element of G. The ciphertext space is G ² and (C ₁ , C ₂ ) ∈G × G.

In the public key cryptosystem using ElGamal cryptography, the public key y = (G, q, g, h = ^ga_0 ).

A terminal device (not shown) encrypts the plaintext M by the following equation using the public key y = (G, q, g, h = ^ga_0 ).
C = (C ₁ , C ₂ )
C ₁ = g ^r
C ₂ = Mh ^r
However, r is a random number generated by a terminal device (not shown), and is an integer randomly selected from 0 <r <q. Here, the operation defined by the group is expressed in a multiplicative manner. The information τ corresponding to the ciphertext C is C ₁ which is a part of the ciphertext C, the information a ₀ τ corresponding to the decrypted text M ′ is C _{1 a —} ⁰ , and the decrypted text M ′ is expressed by the following equation.
M '= C ₂ / C ₁ ^a_0

The terminal device 11 transmits a part C _{1 of the} ciphertext and the calculation request information (information described so as to obtain the value C ₁ ^{f (n)} ) to the N proxy calculation devices 12-n.

The proxy computing device 12-n obtains a value C ₁ ^{f (n)} and transmits it to the terminal device 11.

The terminal device 11 uses the public key y = (G, q, g, h = g a — ⁰ ), a part C _{2 of the} ciphertext C, and the K values C ₁ ^{f (k)} to obtain a decrypted text M ′. = C ₂ / C ₁ ^a_0 is obtained.

For example, if K = 2, f (x) = a ₁ x + a ₀ , the relationship a ₀ = 2f (1) + f (2) holds, so C ₁ ^{f (1)} , C ₁ ^{f (2 )} , The decrypted text M ′ = C ₂ / C _{1 a —} ⁰ can be obtained by the following equation.
M '= C ₂ / C ₁ ^a_0 = C ₂ / C ₁ ^{2f (1) + f (2)}

(About public key cryptography using elliptic ElGamal cryptography)
In the public key cryptosystem using the elliptic ElGamal cipher, where E is an elliptic curve parameter, J and H are points on the elliptic curve E, q is the order of the point J on the elliptic curve E, the public key y = (E, q, J, H = a ₀ J).

A terminal device (not shown) encrypts the plaintext M by the following equation using the public key y = (J, H = a ₀ J).
C = (C ₁ , C ₂ )
C ₁ = rJ
C ₂ = M + rH
However, r is a random number generated by a terminal device (not shown), and is an integer randomly selected from 0 <r <q. Here, operations defined by groups are expressed additively. The information τ corresponding to the ciphertext C is C ₁ which is a part of the ciphertext C, the information corresponding to the decrypted text M ′ is a ₀ C ₁ , and the decrypted text M ′ is expressed by the following equation.
M '= C ₂ -a ₀ C ₁

The terminal device 11 transmits a part C _{1 of the} ciphertext and calculation request information (information described so as to obtain the value f (n) C ₁ ) to the N proxy calculation devices 12-n.

The proxy computing device 12-n obtains the value f (n) C ₁ and transmits it to the terminal device 11.

The terminal device 11 uses the public key y = (E, q, J, H = a ₀ J), a part C _{2 of the} ciphertext, and K values f (k) C ₁ to use the decrypted text M ′. = C ₂ -a ₀ C ₁ is obtained.

For example, if K = 2, f (x) = a ₁ x + a ₀ , the relationship a ₀ = 2f (1) + f (2) holds, so C ₁ f (1), C ₁ f (2 ), The decrypted text M ′ = C ₂ −C ₁ a ₀ can be obtained by the following equation.
M '= C ₂ -a ₀ C ₁ = C _2- (2f (1) + f (2)) C ₁

<Effect>
With this configuration, without calculating the true secret information a _0, 'it is possible to determine the information a ₀ tau corresponding to, decrypted text M' decrypted text M decrypted text M from information a ₀ tau corresponding to 'Can get. In the terminal apparatus 11, since it is not possible to know the true secret information a _0, without that fail to erase the true secret information a _0, to prevent information leakage due to erasure failure of the true secret information a ₀ Can do. Further, even if the secret key d = a ₀ is deleted after the secret information f (n) is distributed, the ciphertext C can be decrypted, and the management burden of the secret key can be reduced.

<Modification>
In the present embodiment, the request unit 111 of the terminal device 11 is configured to transmit the calculation request information to the proxy calculation device 12-n. However, the proxy calculation device 12-n is encrypted without transmitting the calculation request information. When the sentence C is received, a value f (j _n ) τ may be calculated and this value may be returned.

  A distribution device (not shown) may be provided separately from the N proxy computing devices 12-n, or any of the N proxy computing devices 12-n may have the function.

<Second embodiment>
A description will be given centering on differences from the first embodiment. The decoding system 2 according to the second embodiment will be described with reference to FIG. FIG. 5 shows a configuration example of the decoding system 2 according to the second embodiment.

  The decryption system 2 includes a terminal device 11, N proxy computing devices 12-n, and a key device 23. These are configured to be able to communicate through a network. The key device 23 manages N proxy computing devices 12-n. For example, the key device 23 changes the address of the N proxy computing devices 12-n, changes, adds, deletes the N proxy computing devices 12-n, and the terminal device 11 and the N proxy computing devices 12 -N transmits and receives information via the key device 23. The key device 23 may be configured to perform access control.

In the first embodiment, the terminal device 11 directly makes a calculation request to the N proxy computing devices 12-n. In the second embodiment, the terminal device 11 makes a calculation request via the key device 23. At this time, if the ciphertext C is passed to the key device 23, the decrypted text M ′ is known to the key device 23. Therefore, in the present embodiment, the proxy computer 12 is configured to pass a part C _{1 of the} ciphertext C instead of the ciphertext C itself to the key device 23 and obtain the value f (j _n ) C ₁ via the key device 23. -Ask to n. In the present embodiment, the information τ corresponding to the ciphertext C is a part C ₁ of the ciphertext C. A part C ₁ of the ciphertext C is information corresponding to the ciphertext C, and is information that cannot decrypt the decrypted text M ′ alone. In order to decrypt the ciphertext C may require a portion C ₁ and the other part of the ciphertext C. For example, it is possible to use C ₁ of ElGamal encryption and elliptic ElGamal encryption of the first embodiment as a part C ₁ of the ciphertext C.

<Pre-processing>
For example, the key device 23 generates a public key y and a private key d corresponding to the public key y, and publishes the public key y. As public key cryptosystems, ElGamal cryptosystem, elliptical ElGamal cryptosystem, and the like are conceivable. Further, the key device 23 selects a random (K−1) degree polynomial having the secret key d as the true secret information a ₀ and a ₀ as the constant term,
f (x) = a _(K-1) x ^(K-1) +… + a ₁ x + a ₀
And distribute the secret information f (j _n ) distributed to the proxy computing device 12-n. Further, the key device 23 may delete the true secret information a ₀ after distributing the distributed secret information f (j _n ).

The proxy computing device 12-n receives the distributed secret information f (j _n ) and stores the distributed secret information f (j _n ) in the storage unit 122.

  A terminal device (not shown) encrypts the plaintext M using the public key y using the public key encryption method, generates a ciphertext C = Enc (y, M), and transmits the ciphertext C to the terminal device 11. .

For example, in the public key cryptosystem using ElGamal cipher, the public key y = (g, h = ^ga_0 ) and the ciphertext C
C = (C ₁ , C ₂ )
C ₁ = g ^r
C ₂ = Mh ^r
And In the public key cryptosystem using the elliptic ElGamal cipher, the public key y = (G, H = a ₀ G) and the ciphertext C
C = (C ₁ , C ₂ )
C ₁ = rG
C ₂ = M + rH
And

The terminal device 11 receives the ciphertext C and stores the ciphertext C in the storage unit 113. For example, the ciphertext C consists of C ₁ and C ₂ and is expressed as C = (C ₁ , C ₂ ).

<Decryption process>
In the present embodiment, a part C _{1 of the} ciphertext C is used as the information τ corresponding to the ciphertext C, and the request unit 111 of the terminal device 11 transmits the part C _{1 of the} ciphertext C via the key device 23. N proxy computing devices 12-n are requested to obtain the value f (j _n ) C ₁ from (s1).

Upon receiving the part C _{1 of the} ciphertext C, the calculation unit 121 of the proxy computing device 12-n reads the secret information f (j _n ) distributed from the storage unit 122, and the part C _{1 of the} ciphertext C A value f (j _n ) C ₁ is obtained using the distributed secret information f (j _n ) (s 2) and transmitted to the key device 23.

The decryption unit 112 of the terminal device 11 receives the value f (j _n ) C ₁ from the proxy computing device 12-n via the key device 23, and converts the K values f (j _k ) C ₁ into the decrypted text M ′. Corresponding information a ₀ C ₁ is obtained (s3). Incidentally, in the key device 23, K number of 'for information a ₀ C ₁ corresponding to, decrypted text M' value f (j _k) from C ₁ decrypted text M information a ₀ C ₁ corresponding to the terminal device 11 It is good also as a structure which transmits to. The process for obtaining the decrypted text M ′ from the information a ₀ C ₁ corresponding to the decrypted text M ′ is as described in the first embodiment. For example, when ElGamal cipher is used, the decrypted text M ′ is obtained by M ′ = C ₂ / C ₁ ^a_0 , and when elliptic ElGamal cipher is used, the decrypted text M ′ is obtained by M ′ = C ₂ -C ₁ a _0. Ask.

<Effect>
With such a configuration, the same effect as that of the first embodiment can be obtained. Further, since the N proxy computing devices 12-n are managed by the key device 23, the terminal device 11 does not need to individually request the N proxy computing devices 12-n for calculation, and the terminal device 11 11 processing can be reduced. Since the decrypted text M ′ cannot be decrypted from only part C ₁ of the cipher text C, the key device 23 can relay the process while keeping the decrypted text M ′ secret.

<Third embodiment>
A description will be given centering on differences from the second embodiment. The decoding system 3 according to the third embodiment will be described with reference to FIGS. FIG. 6 shows a configuration example of the decoding system 3 according to the third embodiment, and FIG. 7 shows a processing flow thereof.

In the present embodiment, not the part C _{1 of the} ciphertext C but the disturbance information τ (n) that disturbs the relationship with the ciphertext C by the random number r _n is passed to the key device 23, and the value is transmitted via the key device 23. The proxy computing device 12-n is requested to obtain f (j _n ) τ (n). The difference from the second embodiment is that the ciphertext (disturbance information) that can be randomly returned by the key device 23 is decrypted. The encryption method capable of random reduction consists of a randomization algorithm and a restoration algorithm. The randomization algorithm is a probability algorithm that outputs another ciphertext using a ciphertext and a random number, and the output follows a probability distribution that cannot be distinguished from a randomly selected ciphertext regardless of input. The restoration algorithm outputs the plaintext obtained by decrypting the original ciphertext, with the result of decrypting the ciphertext output from the randomization algorithm and the random number used in the randomization algorithm as inputs. Such an encryption method can be easily configured using a homomorphic encryption method such as ElGamal encryption, elliptical ElGamal encryption, RSA encryption, and Pailler encryption. The third embodiment will be described with reference to an example in which a random self-reducing encryption scheme is configured using a homomorphic encryption scheme. In the present embodiment, the information tau corresponding to the ciphertext C is a disturbance information obtained by disrupting the relation between ciphertext C by the random number r _n τ _(n). Incidentally, disturbance information tau (n) is information corresponding to the ciphertext C, and is information that can not decode the decrypted text M 'without knowing the random number r _n. The random number r _n may be a set of a plurality of random numbers.

The decryption system 3 includes a terminal device 31, N proxy computing devices 12-n, and a key device 23. These are configured to be communicable through a network (see FIG. 6). For example, a key management cloud can be configured by N proxy computing devices 12-n and a key device 23, and a cloud key management type encryption method (see Reference 1) can be realized.
(Reference 1) JP 2012-151756 A

  As illustrated in FIG. 8, the terminal device 31 includes a request unit 111, a decoding unit 112, a storage unit 113, a disturbance information generation unit 314, and a second decoding unit 315. FIG. 8 shows a functional block diagram of the terminal device 31.

<Decryption process>
Disturbance information generating unit 314 of the terminal apparatus 31 generates the N random numbers r _n, takes out the ciphertext C from the storage unit 113, disturbance information is disrupting the relation between ciphertext C by the random number r _n τ _(n ) Is generated (s31) and output to the request unit 111. N random numbers r _n are stored in the storage unit 113. In other words, disturbance information generating unit 314, in accordance with randomizing algorithm defined from the random self return of the encryption method, generates the disturbance information corresponding to the cipher text C and the random number r _n τ _(n). For example, if the ciphertext C is a ciphertext homomorphic encryption scheme, disturbance information generating unit 314, the same ciphertext (random cryptographic obtained by encrypting the random number r _n in a public key y in accordance with the same homomorphic cryptography the statement) Enc (y, and r _n), Enc (y, disturbance information by multiplication with r _n) and C τ (n) = Enc ( y, generates a r _n) · C.

The request unit 111 of the terminal device 31 requests the N proxy computing devices 12-n to obtain the value f (j _n ) τ (n) from the disturbance information τ (n) via the key device 23. (S1).

Upon receiving the disturbance information τ (n), the calculation unit 121 of the proxy calculation device 12-n reads the secret information f (j _n ) distributed from the storage unit 122 and follows the homomorphic encryption method described above. A value f (j _n ) τ (n) is obtained using the disturbance information τ (n) and the distributed secret information f (j _n ) (s2) and transmitted to the key device 23.

The second decryption unit 315 of the terminal apparatus 11 receives the proxy computing device 12-n from the value _{f (j n) τ (n} ) through the key device 23 takes out a random number r _n from the storage unit 113, the encryption method accordance with the recovery algorithm defined from the random self return property, using the random number r _n, the value f (j _n) τ determined the value f (j _n) C from (n) (s32), the value f (j _n) C is output to the decoding unit 112. For example, in the case of the above-described example where the disturbance information (n) = Enc (y, r _n ) · C, the second decoding unit 315 uses the inverse element r _n ⁻¹ of the random number r _n and uses f (j _n ) τ ( n) with the original r _n multiplication with _{^{-1 f (j n) C =}} (r n -1) · f (j n) τ (n) makes it possible to obtain a value f (j _n) C. This is based on the fact that the encryption function and the decryption function of the homomorphic cryptosystem have homomorphism.

The decryption unit 112 of the terminal device 11 obtains information a ₀ C corresponding to the decrypted text M ′ from the K values f (j _k ) C, obtains the decrypted text M ′ from the information a ₀ C, and displays Output from the output unit (s3).

<Effect>
With such a configuration, the same effect as that of the second embodiment can be obtained. Further in this embodiment, to via the key device 23 is a disturbance data corresponding to the cipher text C and the random number r _n τ _(n), not the ciphertext C. Even if the key device 23 can obtain the value f (j _n ) τ (n), since the key device 23 does not know the random number r _n , the value f (j _n ) τ (n) to the value f (j _n ) You can't get C. Thereby, even if the administrator of the key device 23 acquires K values f (j _k ) τ (k), it is possible to prevent the decryption result M ′ of the ciphertext C from being known.

The information corresponding to the ciphertext C tau may be disturbance information obtained by disrupting the relation with a portion C ₁ of the ciphertext C tau (n) by a random number r _n.

<Fourth embodiment>
The electronic signature system 4 according to the fourth embodiment will be described with reference to FIGS. 9 and 10. FIG. 9 shows a configuration example of the electronic signature system 4 according to the fourth embodiment, and FIG. 10 shows the processing flow.

  The electronic signature system 4 includes a terminal device 41 and N proxy computing devices 12-n. These are configured to be able to communicate through a network. However, N is an integer greater than or equal to 2, n = 1, ..., N.

Here, K is an integer from 1 to N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true Secret information, j _n is an integer of 1 or more different for each n, and f (j _n ) is distributed secret information. Can ask for information a ₀ tau corresponding to the electronic signature σ by using the information tau and true secret information a ₀ corresponding to the plaintext M, obtains the electronic signature σ from the information a ₀ tau corresponding to the electronic signature σ Shall. Here, operations defined by groups are expressed additively.

  As illustrated in FIG. 11, the terminal device 41 includes a request unit 411, a signature generation unit 412, and a storage unit 413. FIG. 11 shows a functional block diagram of the terminal device 41.

  The terminal device 41 and the proxy computing device 12-n include a router device, a server device, a mobile phone, an IC card and other devices having a calculation function and a storage function, a CPU (central processing unit) loaded with a special program, It is a known or dedicated computer equipped with RAM (random-access memory).

<Pre-processing>
For example, a distribution device (public key server) (not shown) generates a public key y and a private key d corresponding to the public key y, and publishes the public key y. As an electronic signature encryption method, an ElGamal encryption method, an elliptic ElGamal encryption method, an RSA encryption method, a Pailler encryption method, and the like can be considered.

Further, the distribution device selects a random (K-1) degree polynomial having the secret key d as the true secret information a ₀ and a ₀ as the constant term,
f (x) = a _(K-1) x ^(K-1) +… + a ₁ x + a ₀
And distribute the secret information f (j _n ) distributed to the proxy computing device 12-n. Further, the distribution device may delete the true secret information a ₀ after distributing the distributed secret information f (j _n ).

The proxy computing device 12-n receives the distributed secret information f (j _n ) and stores the distributed secret information f (j _n ) in the storage unit 122.

  The terminal device 41 receives the plaintext M and stores the plaintext M in the storage unit 413.

<Signature generation processing>
The request unit 411 of the terminal device 41 requests the proxy computing device 12-n to obtain the value f (j _n ) τ from the information τ corresponding to the plaintext M (s1). For example, the information τ corresponding to the plaintext M and the calculation request information (information described so as to obtain the value f (j _n ) τ) are transmitted to the N proxy computing devices 12-n via the network. Note that it is not always necessary to transmit to N proxy computing devices 12-n, and it is sufficient to transmit to at least K proxy computing devices 12-n.

Upon receiving the information τ corresponding to the plaintext M, the calculation unit 121 of the proxy computing device 12-n reads the secret information f (j _n ) distributed from the storage unit 122 and is distributed with the information τ corresponding to the plaintext M. Using the secret information f (j _n ) obtained, a value f (j _n ) τ is obtained (s 2) and transmitted to the terminal device 41.

Signature generation unit 412 of the terminal device 41 receives the K values f (j _k) τ, using the K values f (j _k) τ, for information a ₀ tau corresponding to the electronic signature σ The electronic signature σ is obtained from the information a ₀ τ corresponding to the electronic signature σ (s3).

  The terminal device 41 transmits the plaintext M and the electronic signature σ to a terminal device (not shown).

  A terminal device (not shown) can determine whether or not the electronic signature σ is authentic by using the plaintext M, the electronic signature σ, and the public key y.

Hereinafter, an electronic signature when RSA encryption is used will be described. For easy understanding, in this example, j _n = j _k = n.

(Digital signature when RSA encryption is used)
For an electronic signature using RSA encryption, the public key y = (e, m).

The information τ corresponding to the plaintext M is the plaintext M itself (τ = M), and the electronic signature σ is generated by the following equation.
σ = M ^a_0

  Here, the operation defined by the group is expressed in a multiplicative manner.

The terminal device 41 transmits the plaintext M and calculation request information (information described so as to obtain the value M ^{f (n)} ) to the N proxy calculation devices 12-n.

The proxy calculation device 12-n obtains the value M ^{f (n)} and transmits it to the terminal device 41.

The terminal device 41 generates an electronic signature σ = C a — ⁰ using K values M ^{f (k)} and transmits the plaintext M and the electronic signature σ to a terminal device (not shown). For example, when K = 2 and f (x) = a ₁ x + a ₀ , the relationship of a ₀ = 2f (1) + f (2) holds, so M ^{f (1)} and M ^{f (2)} are By using the following expression, the electronic signature σ can be generated.
σ = M ^a_0 = M ^{2f (1) + f (2)}

A terminal device (not shown) uses plaintext M, the electronic signature σ, and the public key y = (m, e) to verify whether or not the following equation holds, and if so, determines that the electronic signature σ is authentic: To do.
M = σ ^e mod m

<Effect>
With such a configuration, the terminal device 41 can generate the electronic signature σ for the plaintext M while keeping the true secret information a ₀ secret from the terminal device 41. Since the terminal device 11 cannot know the true secret information a ₀ , it is possible to prevent information leakage due to a failure to delete the true secret information a ₀ . In addition, you may combine this embodiment and 2nd embodiment. For example, the key device 23 manages N proxy computing devices 12-n and transmits / receives information via the key device 23. Moreover, you may combine this embodiment and 3rd embodiment. For example, the disturbance information τ (n) in which the relationship with the plaintext is disturbed by the random number r _n is generated as information τ corresponding to the plaintext, and each process is performed.

<Other variations>
The present invention is not limited to the above-described embodiments and modifications. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. In addition, it can change suitably in the range which does not deviate from the meaning of this invention.

<Program and recording medium>
In addition, various processing functions in each device described in the above embodiments and modifications may be realized by a computer. In that case, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Further, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage unit. When executing the process, this computer reads the program stored in its own storage unit and executes the process according to the read program. As another embodiment of this program, a computer may read a program directly from a portable recording medium and execute processing according to the program. Further, each time a program is transferred from the server computer to the computer, processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program includes information provided for processing by the electronic computer and equivalent to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In addition, although each device is configured by executing a predetermined program on a computer, at least a part of these processing contents may be realized by hardware.

Claims (10)

N is an integer of 2 or more, n = 1,..., N, a decoding system including a terminal device and N proxy computing devices n,
K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer of 1 or more different for each _n , and f (j _n ) is distributed secret information,
The proxy computing device n is
A storage unit for storing the distributed secret information f (j _n );
A calculation unit for obtaining a value f (j _n ) τ using information τ corresponding to ciphertext and the distributed secret information f (j _n ), and
The terminal device
A request unit that requests the proxy computing device n to obtain a value f (j _n ) τ from information τ corresponding to the ciphertext;
k = 1, 2,..., K, j _k is a value of j ₁ , j ₂ ,..., j _N that differs for each k, and K values f (j _k ) τ are used to decrypt A decoding unit for obtaining information a ₀ τ corresponding to
Decryption system. The decoding system according to claim 1, wherein
And a key device for managing the N proxy computing devices n.
The terminal device
A disturbance information generating unit that generates disturbance information τ (n) that disturbs the relationship with the ciphertext by a random number r _n as information τ corresponding to the ciphertext;
Receiving the proxy computing device n from the value _{f (j n) τ (n} ) through the key device, the random number with r _n, the value _{f (j n) τ (n} ) from the value f (j _n A second decoding unit for obtaining C,
The request unit requests the proxy calculation device n to obtain a value f (j _n ) τ (n) from the disturbance information τ (n) via the key device,
The calculation unit of the proxy calculation device n is:
A value f (j _n ) τ (n) is obtained using the disturbance information τ (n) and the distributed secret information f (j _n ).
Decryption system. N is an integer greater than or equal to 2, n = 1,..., N, a signature system including a terminal device and N proxy computing devices n,
K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer of 1 or more different for each _n , and f (j _n ) is distributed secret information,
The proxy computing device n is
A storage unit for storing the distributed secret information f (j _n );
A calculation unit for obtaining a value f (j _n ) τ using information τ corresponding to plaintext and the distributed secret information f (j _n ), and
The terminal device
A request unit that requests the proxy computing device n to obtain a value f (j _n ) τ from information τ corresponding to the plaintext;
k = 1, 2,..., K, j _k is a different value of j ₁ , j ₂ ,..., j _N for each _k , and an electronic signature is obtained using K values f (j _k ) τ And a signature generation unit for obtaining information a ₀ τ corresponding to
Signature system. N is an integer of 2 or more, n = 1,..., N, and a terminal device that requests proxy calculation to N proxy calculation devices n,
K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer of 1 or more different for each _n , and f (j _n ) is distributed secret information,
A request unit that requests the proxy computing device n to obtain a value f (j _n ) τ from information τ corresponding to the ciphertext;
k = 1, 2,..., K, j _k is a value of j ₁ , j ₂ ,..., j _N that differs for each k, and K values f (j _k ) τ are used to decrypt A decoding unit for obtaining information a ₀ τ corresponding to
Terminal device. The terminal device according to claim 4,
A disturbance information generating unit that generates disturbance information τ (n) that disturbs the relationship with the ciphertext by a random number r _n as information τ corresponding to the ciphertext;
The value f (j _n ) τ (n) is received from the proxy computing device n via the key device, and the value f (j _n ) τ (n) to the value f (j _n ) using the random number r _n A second decryption unit for obtaining C,
The requesting unit requests the proxy computing device n to obtain the value f (j _n ) τ (n) from the disturbance information τ (n) via the key device;
Terminal device. N is an integer of 2 or more, n = 1,..., N, and a terminal device that requests proxy calculation to N proxy calculation devices n,
K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer of 1 or more different for each _n , and f (j _n ) is distributed secret information,
A request unit that requests the proxy computing device n to obtain a value f (j _n ) τ from information τ corresponding to the plaintext;
k = 1, 2,..., K, j _k is a different value of j ₁ , j ₂ ,..., j _N for each _k , and an electronic signature is obtained using K values f (j _k ) τ And a signature generation unit for obtaining information a ₀ τ corresponding to
Terminal device. N is an integer of 2 or more, n = 1,..., N, a decoding method using a terminal device and N proxy computing devices n,
K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer of 1 or more different for each _n , and f (j _n ) is distributed secret information,
A requesting step in which the terminal device requests the proxy computing device n to obtain a value f (j _n ) τ from information τ corresponding to the ciphertext;
The proxy computing device n calculates a value f (j _n ) τ using the distributed secret information f (j _n ) stored in advance and information τ corresponding to the ciphertext;
k = 1, 2,..., K, j _k is a value of j ₁ , j ₂ ,..., j _N that is different for each _k , and the terminal device sets K values f (j _k ) τ Using a decryption step to obtain information a ₀ τ corresponding to the decrypted text,
Decryption method. The decoding method according to claim 7, wherein
Furthermore, using a key device that manages the N proxy computing devices n,
A disturbance information generating step in which the terminal device generates disturbance information τ (n) that disturbs the relationship with the ciphertext by a random number r _n as information τ corresponding to the ciphertext;
The terminal device receives said through said key device proxy computing device n from the value _{f (j n) τ (n} ) , using the random number r _n, from the value _{f (j n) τ (n} ) A second decoding step for determining a value f (j _n ) C;
In the requesting step, the proxy computing device n is requested to obtain the value f (j _n ) τ (n) from the disturbance information τ (n) via the key device,
In the calculation step, a value f (j _n ) τ (n) is obtained using the disturbance information τ (n) and the distributed secret information f (j _n ).
Decryption method. N is an integer of 2 or more, n = 1,..., N, a signature method including a terminal device and N proxy computing devices n,
K is an integer between 1 and N, f (x) = a _(K-1) x ^(K-1) + ... + a ₁ x + a _0, and a ₀ = f (0) is true secret information And j _n is an integer of 1 or more different for each _n , and f (j _n ) is distributed secret information,
A requesting step in which the terminal device requests the proxy computing device n to obtain a value f (j _n ) τ from information τ corresponding to plaintext;
A calculation step in which the proxy calculation device n calculates a value f (j _n ) τ using the distributed secret information f (j _n ) stored in advance and information τ corresponding to plaintext;
k = 1, 2,..., K, j _k is a value of j ₁ , j ₂ ,..., j _N that is different for each _k , and the terminal device sets K values f (j _k ) τ Using a signature generation step to obtain information a ₀ τ corresponding to the electronic signature,
Signature method.   The program for functioning a computer as a terminal device in any one of Claims 4-6.

Images