JP4122856B2 - Probabilistic simultaneous order inspection method and order inspection program for multiple elements - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a method for checking that the order of a plurality of data is a specific value, and more particularly to a method for determining a result at high speed by handling a plurality of data collectively.
[0002]
[Prior art]
In many public key cryptosystem applications, the order of numerical values constituting a ciphertext may be checked in order to guarantee security. The numerical order here means the order as a set of cyclic groups generated by the numerical value, and the numerical order check is a value for which the numerical order is assumed. Is to inspect. The order will be described with a simple example. Assuming that (Z / 7Z) ^* with p = 7 as the multiplicative group (Z / pZ) ^* and 3 as the numerical value, the set of cyclic groups generated by the numerical value 3 is 3 ¹ mod 7 = 3, 3 ² mod 7 = 2, ^{3 3} mod 7 = 6, 3 ⁴ mod 7 = 4, 3 ⁵ mod 7 = 5, 3 ⁶ mod 7 = 1, 3 ⁷ mod 7 = 3, 3 ⁸ mod 7 = 2, 3 ⁹ mod 7 = 6, 3 ¹⁰ mod 7 = 4, 3 ¹¹ mod 7 = 5, and so on, and is composed of six elements of 3, 2, 6, 4, 5, and 1. We say that the order of 6 as the set of cyclic groups generated by the numerical value 3 on the multiplicative group (Z / 7Z) ^* is 6.
[0003]
By the way, in recent years, opportunities to handle a huge number of ciphertexts at once, such as cryptographic applications such as electronic voting, are increasing. For this reason, it is required to quickly complete the numerical order inspection in these applications. A specific example where the order check is required is an electronic voting system using a cryptographic protocol called “verifiable Mix-net”. Here, the voting action is performed by sending a voting sentence encrypted using a public key cryptosystem to a counting station. In the counting, first, the sent voting ciphertext is jointly decrypted by a plurality of tabulators, and then the decrypted voting text is tabulated. After the series of aggregation operations, the “verifiable Mix-net” generates and outputs data that proves that the series of operations has been performed correctly. This data is hereinafter referred to as “certification data”. By the way, even if the counting result is not correct, the fact cannot be easily understood only from the set of the encrypted voting text and the set of the decrypted voting text. However, if you have the key for decryption, you can easily see if the results are correct. This is because all voting ciphertexts should be decrypted with this key and the two sets compared. The proof data is data that makes it possible to know whether the aggregation result is valid in this way, but the correspondence between the voting ciphertext and the decryption result is not known from the proof data, not the key itself (that is, the voting data) Data that does not break anonymity). In the electronic voting using the “verifiable Mix-net”, it is determined by using a special algorithm from the voting ciphertext, the decrypted voting text, and the certification data that there is no fraud in the vote counting. In this algorithm, especially when “Verifiable Mix-net” uses El Gamal ciphertext, the ciphertext, the decrypted voting text, and the operation of checking the order of the values constituting the proof data may be included. Many. This is because the Elgamal ciphertext can identify ciphertexts having different orders, and unless only ciphertexts having the same order are selected and used, the security of the electronic voting system decreases.
[0004]
There are the following methods for conventional order checking. First, to order of the numeric g to inspect that a divisor of q is a number g on the group this value g is defined, a g ^{q + 1} is a q + 1 square of numerical g calculate. That is, the defined group is (Z / pZ) ^{If *} , g ^{q + 1} mod p is calculated. If the calculation result is equal to g, it is determined that the order of the numerical value g is a divisor of q. In particular, when q is a prime number, its order is 1 or q.
[0005]
[Problems to be solved by the invention]
However, since the calculation of g ^{q + 1} in the conventional technique often requires a large calculation cost, there is a problem that it takes an enormous amount of time to check the order of a large number of numerical values. Especially when performing large-scale electronic voting using Mix-net, the amount of ciphertext that needs to be inspected for the number of orders is enormous, requiring a lot of time and making the system difficult to operate. .
[0006]
The present invention has been proposed in view of such circumstances, and an object thereof is to provide a method for inspecting the order of a large number of numerical values in a shorter time.
[0009]
[Means for Solving the Problems]
The probabilistic simultaneous order checking method for the plurality of elements according to the first aspect of the present invention is a method for checking by computer that the order of all of a plurality of values to be inspected is a divisor of a reference order. Including steps.
a) A variable that defines a group, a plurality of values to be inspected that are elements of the group, a reference order, and a safety variable are input, and a variable that defines the input group is input to the first storage means. Step b) generating random numbers, storing the inspected value in the second storage means, the inputted reference order in the third storage means, and the inputted safety variable in the fourth storage means, Step 5) storing the generated random number in the fifth storage means. C) Variables defining groups from the first storage means, a plurality of values to be inspected from the second storage means, and random numbers from the fifth storage means. Obtain and select a test value to be used for test product generation from a plurality of test values based on a random value, and calculate a test product that is a product of the selected test values on the group A step of storing the calculated check product in a sixth storage means; d) the first storage; The variable defining the group from the stage, the reference order from the third storage means, and the check product from the sixth storage means, respectively, and the order of the check product is the divisor of the order Step e) The determination result is taken out from the seventh storage means, and the order of the check product is not a divisor of the reference order. If it is a determination result, a test failure is output and the process is terminated. If the determination result indicates that the order of the inspection product is a divisor of the reference order, the fourth storage means can safely Take out the variable, determine whether or not it is greater than or equal to a predetermined value, and if it is not greater than or equal to the predetermined value, output a test pass result and terminate the process, and if greater than or equal to the predetermined value A step of reducing the safety variable stored in the storage means 4 by a predetermined value and returning the process to step b. 10]
The probabilistic simultaneous order checking method for a plurality of elements of the second aspect of the present invention is a method for checking by computer that the order of all of a plurality of values to be inspected is a divisor of a reference order. Including steps.
a) a step of inputting a variable defining a group, a plurality of values to be inspected as elements of the group, a reference order and a safety variable; b) inputting a variable defining the input group into the first storage means; Step c) generating random numbers, storing the plurality of inspected values in the second storage means, the inputted reference order in the third storage means, and the inputted safety variable in the fourth storage means D) storing the generated random number in the fifth storage means; e) storing a variable defining the group from the first storage means; a plurality of inspected values from the second storage means; and a fifth storage means. A random number is obtained from each of the test values, a test value to be used for generating a test product is selected from a plurality of test values based on the value of the random number, and a test product that is a product of the selected test values on the group Step f) The calculated check product is stored in the sixth storage means. Step g) obtaining a variable defining a group from the first storage means, a reference order from the third storage means, and a check product from the sixth storage means. Step h) for determining whether or not is a divisor of a reference order Step i) Store the determination result in the seventh storage means Step i) Take out the determination result from the seventh storage means, and determine the order of the check product If it is a determination result indicating that it is not a divisor of the order of the reference, a test failure is output and the process is terminated. Otherwise, the process is continued. Step j) A safety variable is stored from the fourth storage means. Take out, determine whether or not it is greater than or equal to a predetermined value, and if it is not greater than or equal to a predetermined value, output that the inspection has passed and end the process, otherwise continue the process step k) fourth The safety variable stored in the storage means is reduced by a predetermined value and Step to return the process to the c [0011]
[Action]
In the present invention, if there is a value in which the order is not a divisor of the given order, if the safety variable is sufficiently large, the probability is sufficiently close to 1, and so on. It can be confirmed. Further, when the safety variable is sufficiently smaller than the number of bits of the order and the number of test values for checking the order is sufficiently larger than the number of bits of the order, the order of the order according to the conventional method is The order can be inspected more efficiently than the inspection. For example, if the number of bits of the order is a number of 160 or more, the safety variable is about 40, and a sufficiently accurate inspection is possible. In this case, if the inspected numeric string consists of 45 or more elements, The calculation cost is reduced compared to the prior art.
[0012]
DETAILED DESCRIPTION OF THE INVENTION
Next, embodiments of the present invention will be described in detail with reference to the drawings.
[0013]
Referring to FIG. 1, an example of a computer to which the present invention is applied includes an input device 100, an output device 200, a program storage device 300, a memory 400, and a central processing unit 500 connected thereto. The input device 100 includes a manual input device such as a keyboard, a file device that stores input data, and a communication device that receives data transmitted through a communication line. The output device 200 includes a display device, a printer, a file device that stores output data, a communication device that transmits output data through a communication line, and the like. The program storage device 300 is composed of a magnetic disk or the like for storing software such as a basic program of the computer and an order checking program. The memory 400 is a storage unit for storing various types of data required in the course of the order inspection process, and includes a RAM or the like. In the case of the present embodiment, the memory 400 is provided with first to seventh storage means 401 to 407 configured by files, tables, and the like. The central processing unit 500 controls the entire computer by executing a program stored in the program storage device 300. In particular, the order checking method according to the present invention is executed by executing the order checking program stored in the program storage device 300.
[0014]
Next, with reference to FIG. 2, the flow of processing by the order checking program will be described.
[0015]
[Assumption]
Let p be an integer, φ (p) be the total number of positive integers that are relatively prime with p among positive integers less than p, and q be an integer q | φ (p), that is, an integer that is divisible by φ (p). To explain this meaning with a simple example, when p = 15, positive integers relatively prime to p among positive integers less than p are 1,2,4,7,8,11,13,14. Since there are eight in total, φ (p) = 8, and q, which is an integer divisible by 8, is 1,2,4,8. Of the plurality of values q, the order check is performed using a specific value q as a reference order.
[0016]
[Input processing S101]
The central processing unit 500 from the input device 100, multiplicative group (Z / pZ) ^* define variables p, n pieces of inspection values g ₁ is an element of the _group, g _2, ..., g _n, the reference and The order q and the safety variable s are input and stored in the first storage unit 401, the second storage unit 402, the third storage unit 403, and the fourth storage unit 404. For example, when the present invention is applied to an electronic voting system using a cryptographic protocol called “verifiable Mix-net” described in the section of the prior art, the variable p corresponds to a variable that defines a group used by public key cryptography. The plurality of values to be inspected correspond to the vote that is encrypted and voted, the vote that has been decrypted, the element that constitutes the data that proves that the aggregation process has been performed normally, and the reference order q is It corresponds to the order determined for use in the electronic voting system. The safety variable s is determined in advance according to the accuracy required for the inspection.
[0017]
[Random number generation processing S102]
The central processing unit 500 uses the random number generation means to generate an n-bit random number r equal to the number n of values to be inspected, and stores it in the fifth storage means 405. Here, the value of each bit of the random number r is 1 or 0.
[0018]
[Check product generation processing S103]
The central processing unit 500 receives from the first, second, and fifth storage means 401, 402, and 405 a variable p that defines a group, n inspected values g ₁ , g ₂ ,..., G _n , n bits Random number r is obtained, and n number of values to be inspected g ₁ , g ₂ ,..., G _n and each bit of the random number are associated one-to-one, the value of the corresponding bit of the random number r is Only test values that are predetermined values (for example, 1) are selected, and a test product Q that is a product of these test values on the group is calculated and stored in the sixth storage means 406. The calculation of the inspection product Q is explained by a simple example. When the group is (Z / 7Z) ^* and the two selected inspection values g ₁ and g ₂ are 3 and 4, the group of those inspection values The check product Q, which is the product above, is calculated as 3 * 4 mod 7 = 5.
[0019]
[Inspection product number determination processing S104]
The central processing unit 500 obtains the variable p defining the group, the reference order q, and the check product Q from the first, third, and sixth storage means 401, 403, and 406, respectively. Is determined by calculating whether or not the following expression is satisfied, and the determination result is stored in the seventh storage means 407.
Q ^{q + 1} mod p = Q
When the above formula is satisfied, the order of all the inspected values from which the inspection product Q is calculated is a divisor of the order q. Processing branches to step S107. On the other hand, when the above formula does not hold, the value to be inspected that is the basis of the calculation of the inspection product Q includes at least the value to be inspected that is not a divisor of the order q. The determination result is “not accepted”, and the process branches to the unacceptable output process S105.
[0020]
[Unaccepted output processing S105]
The central processing unit 500 extracts the determination result of “non-acceptance” from the seventh storage unit 407 and outputs it from the output device 200. Then, the order inspection process for the value to be inspected is terminated (S106).
[0021]
[Safety variable judgment processing S107]
The central processing unit 500 extracts the safety variable s from the fourth storage unit 404, determines whether it is greater than a predetermined value (1 in this example), and if greater than 1, branches to the repetitive processing S109, 1 If not, the process branches to the acceptance output process S108.
[0022]
[Accepted output processing S108]
The central processing unit 500 takes out the determination result of “acceptance” from the seventh storage unit 407 and outputs it from the output device 200. Then, the order inspection process for the value to be inspected is terminated (S106).
[0023]
[Repetition processing S109]
The central processing unit 500 decrements the safety variable s stored in the fourth storage unit 404 by a predetermined value (1 in this example), and branches to the random number generation processing S102. Thereby, the process mentioned above is repeated. This repetition is continued until it is determined that the order of the check product Q generated in the process S103 is not a divisor of the order q, or the process S107 determines that the value of the safety variable s is not greater than 1. .
[0024]
Next, the effect of the present embodiment will be described.
[0025]
In this embodiment, “accept” is always output if g _i ^{q + 1} mod p = g _i holds for all the inspected numerical sequences g _i ; (i = 1, 2,..., N). This is clear. If one in even ^{_{g i q + 1 mod p ≠}} g i becomes g _i is present, the probability that the test product Q comprises a g _i is 1/2. This is because Q ^{q + 1} mod p = Q cannot be established in both cases where the check product Q includes g _i and does not include the other elements constituting the check product. Therefore, if g _i ^{q + 1} mod p ≠ g _i becomes g _i even one is present, with respect to the random number r which is chosen at random, the probability that ^{Q q + 1} mod p = Q is satisfied, 1/2 or less Because.
[0026]
If outputs "acceptance" in the present embodiment, all test product Q generated for s random numbers is, Q ^{q + 1} so mod p = is to say that satisfying Q, even one g _i ^q probability the ^p-to Mod ≠ ^Tasu1 g _i becomes g _i is present is less than or equal to 1/2 ^s. Thus, taking a sufficiently large safety variables s, the probability of missing the presence of ^{_{g i q + 1 mod p ≠}} g i becomes g _i becomes negligibly small.
[0027]
In order to confirm g _i ^{q + 1} mod p = g _i for n g _i by the conventional method, the power-residue calculation must be performed n times. In addition, one power-residue calculation requires a multiplication remainder that is approximately 3/2 times the number of bits of q. If the number of bits in q is | q |, a total of (3/2) | q | n multiplication remainders is required.
[0028]
On the other hand, in this embodiment, n / 2 multiplication remainders are required to generate the check product Q, and (3/2) | q | multiplication remainders are required to calculate Q ^{q + 1} . Overall, {(1/2) n + (3/2) | q |} s multiplication remainders are required.
[0029]
Therefore, when n is sufficiently larger than | q |, that is, when many orders need to be checked, and when s <3 | q |, this embodiment is more efficient than the conventional method. In reality, in the case of the above-described electronic voting system or the like, the number of order bits | q | is often a number of 160 or more, and a safety variable s of about 40 is often sufficient. Under such conditions, the present embodiment is more effective when the numerical value string to be inspected is composed of 45 or more elements.
[0030]
【The invention's effect】
As described above, according to the present invention, it is possible to check the order of a large number of numerical values in a shorter time. The reason is that a plurality of data are handled collectively and are inspected stochastically.
[Brief description of the drawings]
FIG. 1 is a block diagram illustrating an example of a computer to which the present invention is applied.
FIG. 2 is a flowchart showing a flow of processing by an order inspection program.
[Explanation of symbols]
100 ... Input device
200 ... Output device
300 ... Program storage device
400 ... memory
401 to 407 ... 1st to 7th storage means
500 ... Central processing unit

Claims (4)

In the method of inspecting by a computer that the order of all the inspected values is a divisor of the reference order,
a) A variable that defines a group, a plurality of values to be inspected that are elements of the group, a reference order, and a safety variable are input, and a variable that defines the input group is input to the first storage means. Storing the value to be inspected in the second storage means, the inputted reference order in the third storage means, and the inputted safety variable in the fourth storage means,
b) generating a random number and storing the generated random number in a fifth storage means;
c) Obtain a variable defining a group from the first storage means, a plurality of values to be inspected from the second storage means, and a random number from the fifth storage means. A test value used for generating a test product is selected from the values, a test product that is a product of the selected test value on the group is calculated, and the calculated test product is stored in the sixth storage means. Remembering step,
d) The variables defining the group are obtained from the first storage means, the reference order is obtained from the third storage means, and the check product is obtained from the sixth storage means. Determining whether the order is a divisor of the order, and storing the determination result in the seventh storage means;
e) The determination result is taken out from the seventh storage means, and if it is a determination result indicating that the order of the inspection product is not a divisor of the reference order, an inspection failure is output and the process is terminated. If the determination result indicates that the order of the product is a divisor of the reference order, the safety variable is extracted from the fourth storage means, and it is determined whether or not it is greater than or equal to a predetermined value. If it is not equal to or greater than the predetermined value, a test pass is output and the process is terminated. If the value is equal to or greater than a predetermined value, the safety variable stored in the fourth storage means is reduced by a predetermined value and the process proceeds to step b. Step back,
A probabilistic simultaneous order checking method for a plurality of elements. In the method of inspecting by a computer that the order of all the inspected values is a divisor of the reference order,
a) inputting a variable defining a group, a plurality of inspected values that are elements of the group, a reference order and a safety variable;
b) A safety that is input to the first storage means, a variable that defines the input group, a plurality of input test values to the second storage means, and an input reference order to the third storage means Storing each variable in a fourth storage means;
c) generating a random number;
d) storing the generated random number in the fifth storage means;
e) Obtain a variable defining a group from the first storage means, a plurality of values to be inspected from the second storage means, and a random number from the fifth storage means. Selecting a test value to be used for test product generation from the values, and calculating a test product that is a product of the selected test value on the group;
f) storing the calculated check product in the sixth storage means;
g) The variable defining the group is obtained from the first storage means, the reference order is obtained from the third storage means, and the check product is obtained from the sixth storage means. Determining whether the order is a divisor of
h) storing the determination result in the seventh storage means;
i) The determination result is taken out from the seventh storage means, and if it is a determination result that the order of the check product is not a divisor of the reference order, a test failure is output and the processing is terminated. Otherwise, continue the process,
j) The safety variable is taken out from the fourth storage means, and it is determined whether or not it is equal to or greater than a predetermined value. Steps to continue processing, except
k) reducing the safety variable stored in the fourth storage means by a predetermined value and returning the process to step c;
A probabilistic simultaneous order checking method for a plurality of elements. A program for inspecting that the order of all the inspected values is a divisor of the reference order,
a) A variable that defines a group, a plurality of values to be inspected that are elements of the group, a reference order, and a safety variable are input, and a variable that defines the input group is input to the first storage means. Storing the value to be inspected in the second storage means, the inputted reference order in the third storage means, and the inputted safety variable in the fourth storage means,
b) generating a random number and storing the generated random number in a fifth storage means;
c) Obtain a variable defining a group from the first storage means, a plurality of values to be inspected from the second storage means, and a random number from the fifth storage means. A test value used for generating a test product is selected from the values, a test product that is a product of the selected test value on the group is calculated, and the calculated test product is stored in the sixth storage means. Remembering step,
d) The variables defining the group are obtained from the first storage means, the reference order is obtained from the third storage means, and the check product is obtained from the sixth storage means. Determining whether the order is a divisor of the order, and storing the determination result in the seventh storage means;
e) The determination result is taken out from the seventh storage means, and if it is a determination result indicating that the order of the inspection product is not a divisor of the reference order, an inspection failure is output and the process is terminated. If the determination result indicates that the order of the product is a divisor of the reference order, the safety variable is extracted from the fourth storage means, and it is determined whether or not it is greater than or equal to a predetermined value. If it is not equal to or greater than the predetermined value, a test pass is output and the process is terminated. If the value is equal to or greater than a predetermined value, the safety variable stored in the fourth storage means is reduced by a predetermined value and the process proceeds to step b. Step back,
An order checking program that executes A program for inspecting that the order of all the inspected values is a divisor of the reference order,
a) inputting a variable defining a group, a plurality of inspected values that are elements of the group, a reference order and a safety variable;
b) A safety that is input to the first storage means, a variable that defines the input group, a plurality of input test values to the second storage means, and an input reference order to the third storage means Storing each variable in a fourth storage means;
c) generating a random number;
d) storing the generated random number in the fifth storage means;
e) Obtain a variable defining a group from the first storage means, a plurality of values to be inspected from the second storage means, and a random number from the fifth storage means. Selecting a test value to be used for test product generation from the values, and calculating a test product that is a product of the selected test value on the group;
f) storing the calculated check product in the sixth storage means;
g) The variable defining the group is obtained from the first storage means, the reference order is obtained from the third storage means, and the check product is obtained from the sixth storage means. Determining whether the order is a divisor of
h) storing the determination result in the seventh storage means;
i) The determination result is taken out from the seventh storage means, and if it is a determination result that the order of the check product is not a divisor of the reference order, a test failure is output and the processing is terminated. Otherwise, continue the process,
j) The safety variable is taken out from the fourth storage means, and it is determined whether or not it is equal to or greater than a predetermined value. Steps to continue processing, except
k) reducing the safety variable stored in the fourth storage means by a predetermined value and returning the process to step c;
An order checking program that executes

Images