JP4602675B2 - CONFIDENTIAL INFORMATION MANAGEMENT SYSTEM, CONFIDENTIAL INFORMATION MANAGEMENT METHOD, CONFIDENTIAL INFORMATION MANAGEMENT PROGRAM, AND CONFIDENTIAL INFORMATION MANAGEMENT SYSTEM TERMINAL PROGRAM - Google Patents

Description

  The present invention relates to a confidential information management system, a confidential information management method, a confidential information management program, and a confidential information management system terminal program for managing confidential information of a user.

  With the development of IT (Information Technology) technology, there is an opportunity to receive provision of desired services using mobile phones and personal digital assistants containing passwords, credit numbers, etc., and IC cards containing PKI private keys. is increasing. For example, services such as logging in using a user's password, browsing information, and purchasing goods using the user's credit card number are widespread.

In such an occasion, if the user loses a mobile phone, personal digital assistant, IC card, etc. in which the above-mentioned confidential information (for example, password, credit number, PKI private key, etc.) is stored, the fact that it has been lost Is issued to the issuer, the confidential information is revoked, and the confidential information needs to be reissued.
Electronic Authentication System Promotion Study Group, “Guidelines for Specification of Electronic Authentication System in Inter-company Electronic Commerce System”, [Online], [Search January 20, 2004], Internet <URL: http: //www.ecom. or.jp/home/g12.pdf>

  Therefore, when the confidential information held by the user is lost, there is a problem that the lost confidential information must be invalidated and the confidential information must be changed in order to maintain security. In addition, since confidential information is changed, there is a problem that the service cannot be provided until reissue.

  The present invention has been made to solve the above-mentioned problems, and even if a mobile phone, a personal digital assistant, or an IC card held by a user is lost, a service can be provided without changing confidential information. It is an object to provide a confidential information management system, a confidential information management method, a confidential information management program, and a terminal program for the confidential information management system.

In order to achieve the above object, the present invention according to claim 1 is a confidential information management system for managing confidential information of a user using a secret sharing method, wherein the secret sharing method is a method for managing the confidential information as desired. A data division method that divides data into a desired number of divided data based on a processing unit bit length, and divides the confidential information into processing unit bit lengths to generate a plurality of original partial data, and Corresponding to each of the partial data, each divided partial data constituting each divided data by generating a plurality of random number partial data having a processing unit bit length from a random number having a length equal to or shorter than the bit length of the confidential information Is generated for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate divided data of the desired number of divisions, and the processing unit bits from the newly generated random number A plurality of random number partial data are generated, subdivided partial data is generated for each processing unit bit length by exclusive OR of the respective divided partial data and the random number partial data, and the repartitioned data of the desired number of divisions And a data dividing means for dividing the confidential information into a plurality of divided data using the secret sharing method, and for the user to hold a part of the plurality of divided data together is stored in the first storage unit as the divided data, the rest of the plurality of divided data by using a data storage means for storing a respective one or more second storage unit, the secret sharing scheme, the first A data re-division means for creating a plurality of re-division data from a combination of a predetermined number of pieces of division data that can be restored among the division data stored in the storage unit; A part of the data is stored in the first storage unit as new divided data, and each of the divided data stored in the second storage unit is invalidated, and the rest of the plurality of re-divided data is updated. And a data re-storing means for storing each of the second storage units as various divided data.

  According to a second aspect of the present invention, in the first aspect of the invention, when the confidential information is used, the divided data held by the user is acquired, and the divided data and the second storage unit are acquired. Data recovery means for recovering the confidential information from the combination of the predetermined number of pieces of divided data among the stored pieces of divided data using the secret sharing method is provided.

  According to a third aspect of the present invention, in the second aspect of the present invention, when the confidential information is used, there is provided usage history storage means for storing the used fact as usage history information.

  According to a fourth aspect of the present invention, in the first aspect of the present invention, when the confidential information is used, the utilization is started from the predetermined number of pieces of divided data stored in the second storage unit. And a divided data transmission unit configured to transmit a combination of divided data obtained by subtracting the number of divided data held by a user to a terminal of the user via a communication network.

  According to a fifth aspect of the present invention, in the invention according to any one of the first to fourth aspects, the data re-dividing means configures each divided data included in a combination of the predetermined number of divided data. The divided data held by the user is generated by an exclusive OR operation between the respective divided partial data.

  According to a sixth aspect of the present invention, in the invention according to any one of the first to fifth aspects, the secret sharing method is used to generate the divided partial data and the divided partial data. Each subdivision partial data is generated by exclusive OR operation with each new random number partial data corresponding to each random number partial data.

  In the present invention according to claim 7, the secret sharing method further includes the re-divided partial data and the old random number partial data used when generating the divided partial data before the re-divided partial data generation. The old random number partial data is erased from the re-partitioned partial data by an exclusive OR operation.

  According to an eighth aspect of the present invention, there is provided the terminal according to any one of the first to seventh aspects, wherein the divided data stored in the first storage unit is stored in the terminal held by the user via a communication network. It has the transmission means to transmit, It is characterized by the above-mentioned.

  The present invention according to claim 9 is the invention according to any one of claims 1 to 8, further comprising receiving means for receiving the confidential information from a terminal of the user via a communication network. A confidential information management system.

The present invention according to claim 10 is a confidential information management method for managing confidential information of a user using a secret sharing method, which is performed by a confidential information management system , wherein the secret sharing method is configured to store the confidential information as desired. A data division method that divides data into a desired number of divided data based on a processing unit bit length, and divides the confidential information into processing unit bit lengths to generate a plurality of original partial data, and Corresponding to each of the partial data, each divided partial data constituting each divided data by generating a plurality of random number partial data having a processing unit bit length from a random number having a length equal to or shorter than the bit length of the confidential information Is generated for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate divided data of a desired number of divisions and processing unit bits from the newly generated random number. A plurality of long random number partial data is generated, and subdivided partial data is generated for each processing unit bit length by exclusive OR of the divided partial data and the random number partial data, and the desired number of divisions is subdivided. A data division method for generating data, wherein the confidential information management system includes a first storage unit and a second storage unit, and divides the confidential information into a plurality of divided data using the secret sharing method to a data dividing step, a portion of the plurality of divided data, together with the user stored in the first storage unit as the divided data to hold, the remaining of the plurality of divided data, 1 or more of a data storage step of storing in each said second storage section, using said secret sharing scheme, among the divided data stored in the second storage unit, the divided data can be restored predetermined number From viewing alignment, and the data re-division step of creating a plurality of subdivided data, stores in the first storage unit a part of the plurality of re-divided data as new data segment, the second storage unit disable the divided data stored in, and performs a data re-storing step of storing in each of said second storage unit the remainder of the plurality of re-divided data as new data segment .

The present invention according to claim 11 is a confidential information management program for managing confidential information of a user by using a secret sharing method, wherein the secret sharing method is based on a desired processing unit bit length. A data division method that divides the data into a desired number of divided data, divides the confidential information into processing unit bit lengths, generates a plurality of original partial data, and corresponds to each of the plurality of original partial data. Generating a plurality of random part data having a processing unit bit length from a random number having a length equal to or shorter than the bit length of the confidential information, and dividing each divided part data constituting each divided data into the original partial data and the random number part Data is generated for each processing unit bit length by exclusive OR of data to generate divided data of a desired number of divisions, and a plurality of random number partial data of processing unit bit length are generated from newly generated random numbers. Data division for generating subdivision data of the desired number of divisions by generating subdivision data for each processing unit bit length by exclusive OR of the respective subdivision partial data and the random number partial data a method, a computer, the confidential data dividing means for dividing into a plurality of divided data by using the secret sharing scheme, a portion of the plurality of divided data, as the divided data for the user to hold together is stored in the first storage unit, the remainder of the plurality of divided data, one or a plurality of second memory unit data storage means for storing each, using the secret sharing scheme, the second storage unit among the divided data stored in, from the combination of the divided data can be restored predetermined number, the data re-division means for creating a plurality of re-division data, and said plurality of subdivision de Part of the data is stored in the first storage unit as new divided data, and each of the divided data stored in the second storage unit is invalidated, and the rest of the plurality of re-divided data is newly stored. It is made to function as a data re-storing means for storing each of the second storage units as divided data .

According to a twelfth aspect of the present invention, in the invention according to the eleventh aspect, when the computer uses the confidential information , the computer acquires the divided data held by the user, and the divided data and the second data And functioning as data restoring means for restoring the confidential information by using the secret sharing method from a combination of the predetermined number of divided data among the divided data stored in the storage unit .

According to a thirteenth aspect of the present invention, when the confidential information is used , the computer holds the computer from the predetermined number of pieces of divided data stored in the second storage unit. A combination of the number of pieces of divided data obtained by subtracting the number of pieces of divided data is caused to function as a divided data transmission unit that transmits the terminal of the user to a terminal through the communication network .

The present invention is claimed in claim 14, a confidential information management system for a terminal program that uses confidential information of the user by using the divided data transmitted from the confidential information management system according to claim 4, the terminal computer , obtains the divided data of the user to retain, restoring means for restoring said confidential information from the combination of the divided data the transmission and the divided data by using the secret sharing scheme, and the restored confidential information , And functioning as transmission means for transmitting to the system providing the service via a communication network .

  According to the present invention, since the confidential information is divided into a plurality of parts using the secret sharing method and a part of them is held by the user, even if the divided data held by the user is lost, the remaining divided data The confidential information can be restored from the information, the re-divided data is newly generated using the secret sharing method, and a part of the re-divided data is newly held by the user, so that the confidential information does not need to be changed.

  As a result, even if the divided data held by the user is lost, it is possible to receive the service again only by reporting the loss without re-issuing the confidential information.

  In particular, the secret sharing method according to the present invention is a data division method for dividing confidential information into divided data of a desired number of divisions based on a desired processing unit bit length. The secret information is divided into processing unit bit lengths. Generating a plurality of original part data, and corresponding to each of the plurality of original part data, a plurality of random part data having a processing unit bit length from a random number having a length equal to or shorter than the bit length of the confidential information. Generate and generate each divided partial data constituting each divided data for each processing unit bit length by exclusive OR of the original partial data and the random number partial data, and generate divided data of a desired number of divisions. A plurality of random number part data of processing unit bit length is generated from the random number generated in step 1, and each divided part data and the random number part data are subjected to exclusive OR of each divided unit data for each processing unit bit length. To generate over data, because it generates the re-division data of a desired number of divisions, without restoring the confidential information can be subdivided sensitive information.

  Thereby, the confidential information of the user can be managed more securely.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

<System configuration>
FIG. 1 is a block diagram showing a schematic configuration of an entire computer system 10 to which a confidential information management system 1 according to an embodiment of the present invention is applied.

  As shown in FIG. 1, the confidential information management system 1 is connected to a client terminal 2 (hereinafter simply referred to as a terminal) provided by a user via a communication network 4 such as the Internet, and via the communication network 4. It is connected to a service providing system 5 that provides a predetermined service to the user. The confidential information management system 1 is connected to a plurality of data storage server computers (hereinafter simply referred to as storage servers) 3a and 3b (hereinafter referred to simply as storage servers) 3a and 3b independent of each other in terms of hardware. .

  Note that the confidential information in the present embodiment refers to personal information such as a password, a credit card number, and a PKI private key necessary for the user to use the service providing system 5.

  In the computer system 10 configured as described above, when the confidential information S required when the terminal 2 receives a predetermined service from the service providing system 5 is transmitted to the confidential information management system 1, the confidential information management system 1 will be described later. The secret information S is divided into a plurality of data using a secret sharing method (hereinafter referred to as secret sharing method A), and the divided data is transmitted to the storage servers 3a and 3b and the terminal 2, respectively. It is designed to be stored. As a result, the confidential information S is registered in the confidential information management system 1, and the user is ready to use the service. In FIG. 1, the confidential information management system 1 divides the confidential information S from the terminal 2 into three divided data D (1), D (2), and D (3), each of which is a plurality of storage servers 3a. , 3b and the terminal 2 are stored.

  Further, when the service is used, if the divided data D (3) is transmitted from the terminal 2 to the confidential information management system 1, the confidential information management system 1 stores the divided data D (3) and the storage servers 3a and 3b. The original confidential information S is restored from any two of the divided data D (1) and D (2) using the secret sharing method A, and the confidential information S is transmitted to the service providing system 5. ing. Thereby, the user can receive provision of a predetermined service.

  In the present embodiment, the case where the confidential information S is divided and stored will be described as an example. However, the present invention is not limited to the case where the confidential information S is divided into three. = Integer greater than or equal to 2). Further, the divided data transmitted to the terminal 2 is not limited to one and may be plural. Furthermore, in this embodiment, the divided data D (1) and D (2) are assigned to the storage server 3 and the divided data D (3) are assigned to the use terminal 2. It may be assigned to the terminal 2.

  Specifically, the confidential information management system 1 includes a divided data generation unit 11 that divides the confidential information S into a plurality of divided data D using the secret sharing method A, and the original data using the secret sharing method A from the plurality of divided data D. (Confidential information) An original data restoring unit 12 for restoring S, a random number R used for generating a plurality of divided data D from the confidential information S, and a random number R ′ used for generating re-divided data D ′. Random number generator 13 for generating a subdivision that generates a plurality of subdivision data D ′ from the subdivision data stored in storage server 3 using secret sharing method A when the subdivision data held by the user is lost The data generation unit 14, the usage history generation unit 15 that generates the fact that the confidential information S system 1 restored the confidential information S and transmitted the confidential information S to the service providing system 5, and the terminal 2. Storage server 3a, has become 3b, and a service providing system 5 configured to include a communication unit 16 for transmitting and receiving respectively data.

  The terminal 2 is assumed to be a portable information terminal that can be carried by the user, a portable storage medium such as a mobile phone, an IC card, or the like, but may be a computer device that does not use a mobile device.

  Here, the above-described confidential information management system 1, terminal 2, storage servers 3a and 3b, and service providing system 5 are each a central processing unit (CPU) having at least a calculation function and a control function, and a function for storing programs and data. It is comprised from the electronic apparatus which has the main memory (memory) which consists of RAM etc. which have. In addition to the main storage device, the apparatus and system may include an auxiliary storage device such as a hard disk.

  A program for executing various processes according to the present embodiment is stored in the main storage device or the hard disk described above. The program can be recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO, or a DVD-ROM, or can be distributed via a communication network.

<Secret Sharing Method A>
Here, the secret sharing method A based on the unique secret sharing algorithm in the present embodiment will be described.

  In the division and restoration of the original data (corresponding to the confidential information S) in the present embodiment, the original data is divided into divided data having a desired number of divisions based on a desired processing unit bit length. The length can be set to any value, and the original data is divided into processing unit bit lengths, and the divided partial data is generated from this original partial data by a number one less than the number of divisions, so the bit length of the original data Does not match an integral multiple of (divided number – 1) times the processing unit bit length, the source data bit length is set to the processing unit bit length (divided number – 1) This embodiment can be applied by adjusting to an integral multiple of twice.

  The random numbers described above are also generated from the random number generator 13 as (partition number-1) random number partial data having a bit length of the processing unit bit length corresponding to each of the (partition number-1) original partial data. Is done. That is, the random numbers are divided into processing unit bit lengths, and are generated as (partition number-1) random number partial data having a bit length of the processing unit bit length. Further, the original data is divided into a desired number of divided data based on the processing unit bit length, and each of the divided data also corresponds to each of the (division number-1) original partial data. It is generated as (partition number -1) pieces of divided partial data having a bit length. That is, each piece of divided data is divided into processing unit bit lengths, and is generated as (partition number-1) pieces of divided partial data having a bit length of the processing unit bit length.

  In the following description, the above-described original data, random numbers, divided data, number of divisions, and processing unit bit length are represented by S, R, D, n, and b, respectively, and one of a plurality of data, random numbers, and the like. I (= 1 to n) and j (= 1 to n-1) are used as variables to represent one, (division number n-1) original partial data, (division number n-1) random number partial data , And one of each of the divided data D of the number n of divisions is represented by S (j), R (j) and D (i), respectively, and a plurality of ( The divided partial data of (n-1) is represented by D (i, j). That is, S (j) represents the j-th original partial data when the original data S is numbered in order from the top by dividing the processing unit bit length from the top.

  When this notation is used, the original data, random number data, and divided data, and the original partial data, random number partial data, and divided partial data that constitute these, respectively, are represented as follows.

Original data S = (n-1) original partial data S (j)
= S (1), S (2), ..., S (n-1)
Random number R = (n-1) random number partial data R (j)
= R (1), R (2), ..., R (n-1)
n divided data D (i) = D (1), D (2),..., D (n)
Each partial data D (i, j)
= D (1,1), D (1,2), ..., D (1, n-1)
D (2,1), D (2,2), ..., D (2, n-1)
………
D (n, 1), D (n, 2), ..., D (n, n-1)
(i = 1 ~ n), (j = 1 ~ n-1)
In the present embodiment, an exclusive OR operation (XOR) of the original partial data and the random number partial data is performed on the plurality of partial data divided for each processing unit bit length as described above. The original data is divided using a definition formula consisting of exclusive OR (XOR) of data and random number partial data, and a method of using a polynomial or a remainder operation for the data division processing described above Compared with, it uses the exclusive OR (XOR) operation, which is a bit operation suitable for computer processing, and does not require high-speed and high-performance processing power, and it is simple operation even for large volumes of data. The divided data can be generated by repeating the processing, and the storage capacity required for storing the divided data can be made smaller than the multiple capacity proportional to the divided number. Further, the divided data is generated by stream processing in which calculation processing is performed in order from the top of the data for each predetermined fixed length.

  In the following description, the exclusive OR operation (XOR) used in the present embodiment is expressed by an operation symbol “*”. However, in the bitwise operation rule of this exclusive OR operation, Each calculation result is as follows.

The operation result of 0 * 0 is 0
The result of 0 * 1 is 1
The result of 1 * 0 is 1
The result of 1 * 1 is 0
In addition, the XOR operation has an exchange law and a joint law. That is,
a * b = b * a
It is mathematically proved that (a * b) * c = a * (b * c) holds.

  Also, a * a = 0, a * 0 = 0 * a = a holds.

Here, a, b, and c represent bit strings having the same length, and 0 represents a bit string having the same length and consisting of all “0”.

  Next, the operation of the secret sharing method A in the present embodiment will be described with reference to drawings such as flowcharts. Before this description, definitions of symbols shown in the flowcharts of FIGS. Will be described.

(1) Π _{i = 1} ⁿ A (i) means A (1) * A (2) *... A (n).

  (2) c (j, i, k) is (n-1) × (n-1) matrix U [n-1, n-1] × (P [n-1, n-1]) ^ It is defined as the value of i row and k column of (j-1).

  At this time, Q (j, i, k) is defined as follows.

When c (j, i, k) = 1 Q (j, i, k) = R ((n-1) × m + k)
Q (j, i, k) = 0 when c (j, i, k) = 0
However, m represents an integer of m ≧ 0.

(3) U [n, n] is an n × n matrix, and the value of i rows and j columns is represented by u (i, j).
When i + j <= n + 1, u (i, j) = 1
When i + j> n + 1, u (i, j) = 0
It means that the matrix is “upper triangular matrix”. Specifically, the matrix is as follows.

(4) P [n, n] is an n × n matrix, and the value of i rows and j columns is represented by p (i, j).
When j = i + 1, p (i, j) = 1
p (i, j) = 1 when i = n, j = 1
For other cases p (i, j) = 0
It means that the matrix is “rotation matrix”. Specifically, the matrix is as follows, and when multiplied from the right side of another matrix, the first column of the other matrix is changed to the second column, the second column to the third column,. Is moved to the nth column, and the nth column is moved to the first column. That is, when the matrix P is applied to another matrix a plurality of times from the right side, each column can be moved so as to rotate rightward by that number of times.

  (5) If A and B are n × n matrices, A × B means the product of the matrices A and B. The calculation rules for the matrix components are the same as those used in normal mathematics.

  (6) When A is an n × n matrix and i is an integer, A ^ i means i products of the matrix A. A ^ 0 means the unit matrix E.

(7) The unit matrix E [n, n] is an n × n matrix, and the value of i rows and j columns is represented by e (i, j).
e (i, j) = 1 when i = j
For other cases e (i, j) = 0
Let's mean a matrix that is Specifically, the matrix is as follows. Let A be any n × n matrix
A × E = E × A = A
There is a property to become.

  Next, with reference to the flowchart shown in FIG. 2 and the specific data shown in FIGS. This explains the function of the divided data generation unit 11 of the confidential information management system 1.

  First, the original data S is given to the confidential information management system 1 (step S201 in FIG. 2). In this example, the original data S is 16 bits “10110010 00110111”.

  Next, the confidential information management system 1 instructs the division number n to be 3 (step S203). Note that the three pieces of divided data generated by the confidential information management system 1 according to the division number n = 3 are D (1), D (2), and D (3). The divided data D (1), D (2), and D (3) are all 16-bit data that is the same as the bit length of the original data.

  Then, the processing unit bit length b used for dividing the original data S is determined to be 8 bits (step S205). The processing unit bit length b may be designated by the user from the terminal 2 to the confidential information management system 1 or may be a value determined in advance in the confidential information management system 1. The processing unit bit length b may be an arbitrary number of bits, but here it is 8 bits that can divide the original data S. Accordingly, the original data S of the above 16-bit “10110010 00110111” is divided into “10110010” when the two original divided data S (1) and S (2) are divided by the 8-bit processing unit bit length. And “00110111”.

  In the next step S207, it is determined whether or not the bit length of the original data S is an integer multiple of 8 × 2, and if it is not an integer multiple, the end of the original data S is padded with zeros to obtain 8 × 2 Fit to an integer multiple. Note that the division processing when the processing unit bit length b is set to 8 bits and the division number n is set to 3 as in this example is not limited to 16 bits as the bit length of the original data S. This is effective for the original data S that is an integral multiple of the length b × (number of divisions n−1) = 8 × 2.

  Next, in step S209, the variable m, that is, the variable m meaning the integer multiple described above is set to zero. As in this example, when the original data S has a processing unit bit length b × (number of divisions n−1) = 8 × 2 = 16 bits, the variable m is 0, but is doubled to 32 bits. In this case, the variable m is 1, and in the case of 3 times 48 bits, the variable m is 2.

  Next, it is determined whether or not there is data for 8 × 2 bits from the 8 × 2 × m + 1 bit of the original data S (step S211). This is because the division processing shown after step S211 is performed on the processing unit bit length b × (number of divisions n−1) = 8 × 2 = 16 bits specified by the variable m of the original data S, It is determined whether or not there is the next 16 bits as data S. In the case where the original data S is 16 bits as in this example, when the dividing process after step S211 is performed once on the 16-bit original data S, the variable m is incremented by 1 in step S219 described later. However, in the original data S of this example, there is no data of 17 bits or more corresponding to the case where the variable m is m + 1, so the process proceeds from step S211 to step S221. In this case, however, the variable m is Since it is 0, the 8 × 2 × m + 1 bit of the original data S is 8 × 2 × 0 + 1 = 1, and the data is 8 × 2 bits from the first 16 bits of the original data S. Since it exists, it progresses to step S213.

  In step S213, the variable j is changed from 1 to 2 (= number of divisions n-1), and 8 bits (= processing unit bits) from the 8 × (2 × m + j-1) +1 bit of the original data S Data) is set to the original partial data S (2 × m + j), thereby dividing the original data S by the processing unit bit length 2 (number of divisions n-1) original partial data S (1) , S (2) is generated as follows.

Original data S = S (1), S (2)
First original partial data S (1) = “10110010”
Second original partial data S (2) = “00110111”
Next, the variable j is changed from 1 to 2 (= division number n-1), and a random number of 8 bits length generated from the random number generator 13 is set to the random number partial data R (2 × m + j). Thus, 2 (division number n-1) random number partial data R (1) and R (2) obtained by dividing the random number R by the processing unit bit length are generated as follows (step S215).

Random number R = R (1), R (2)
First random number partial data R (1) = “10110001”
Second random number partial data R (2) = “00110101”
Next, in step S217, the variable i is changed from 1 to 3 (= number of divisions n), and the variable j is further changed from 1 to 2 (= number of divisions n-1) in each variable i, as shown in step S217. Each divided partial data D (i, 2 × m + j) that constitutes each of the plurality of divided data D (i) by a definition formula consisting of exclusive OR of the original partial data and random number partial data for generating the divided data ) Is generated. As a result, the following divided data D is generated.

Split data D
= 3 pieces of divided data D (i) = D (1), D (2), D (3)
First divided data D (1)
= 2 pieces of partial data D (1, j) = D (1,1), D (1,2)
= "00110110", "10110011"
Second divided data D (2)
= 2 pieces of partial data D (2, j) = D (2,1), D (2,2)
= "00000011", "00000010"
Third divided data D (3)
= 2 pieces of partial data D (3, j) = D (3,1), D (3,2)
= "10110001", "00110101"
Note that the definition formula shown in step S217 for generating each divided partial data (i, j) is specifically described in the table shown in FIG. 4 when the number of divisions n = 3 as in this example. Will be. From the table shown in FIG. 4, the definition formula for generating the divided partial data D (1,1) is S (1) * R (1) * R (2), and the definition formula for D (1,2) Is S (2) * R (1) * R (2), the definition of D (2,1) is S (1) * R (1), and the definition of D (2,2) is S (2) * R (2), the defining formula for D (3,1) is R (1), and the defining formula for D (3,2) is R (2). The table shown in FIG. 4 also describes general definition formulas for arbitrary integers when m> 0.

  In this way, after the divided data D is generated for the variable m = 0 which means an integer multiple, the variable m is then incremented by 1 (step S219), the process returns to step S211 and the original data S corresponding to the variable m + 1 is returned. However, since the original data S in this example is 16 bits and there is no data after 17 bits, the process proceeds from step S211 to step S221 and is generated as described above. The divided data D (1), D (2), and D (3) are stored in the storage server 3 and the terminal 2, respectively, and the division process is finished. The divided data D (1), D (2), D (3) stored in this way cannot be estimated as original data alone.

  Here, the divided data generation process based on the definition formula in step S217 in the flowchart of FIG. 2 described above, specifically, the divided data generation process when the number of divisions n = 3 will be described in detail.

  First, in the case of a variable m = 0 meaning an integer multiple, each divided partial data D constituting each of the divided data D (i) = D (1) to D (3) from the definition formula shown in step S217. (i, 2 × m + j) = D (i, j) (i = 1 to 3, j = 1 to 2) is as follows.

D (1,1) = S (1) * Q (1,1,1) * Q (1,1,2)
D (1,2) = S (2) * Q (2,1,1) * Q (2,1,2)
D (2,1) = S (1) * Q (1,2,1) * Q (1,2,2)
D (2,2) = S (2) * Q (2,2,1) * Q (2,2,2)
D (3,1) = R (1)
D (3,2) = R (2)
Specifically, Q (j, i, k) included in the above four formulas among the above six formulas is obtained.

When c (j, i, k) is a value of i rows and k columns of U [2,2] × (P [2,2]) ^ (j-1) which is a 2 × 2 matrix, Is defined as

When c (j, i, k) = 1 Q (j, i, k) = R (k)
Q (j, i, k) = 0 when c (j, i, k) = 0
here,
When j = 1

When j = 2

  If this is used, each division | segmentation partial data D (i, j) is produced | generated by the following definitional expressions.

D (1,1) = S (1) * Q (1,1,1) * Q (1,1,2) = S (1) * R (1) * R (2)
D (1,2) = S (2) * Q (2,1,1) * Q (2,1,2) = S (2) * R (1) * R (2)
D (2,1) = S (1) * Q (1,2,1) * Q (1,2,2) = S (1) * R (1) * 0 = S (1) * R (1 )
D (2,2) = S (2) * Q (2,2,1) * Q (2,2,2) = S (2) * 0 * R (2) = S (2) * R (2 )
The definition formula for generating each of the divided partial data D (i, j) described above is also illustrated in FIG.

  FIG. 3 shows the original data from the respective data, definition formulas, and divided partial data when the 16-bit original data S is divided into three with the division number n = 3 based on the 8-bit processing unit bit length as described above. It is a table | surface which shows the calculation formula in the case of decompress | restoring.

  Here, the divided data D (1), D (2), D (3) and the respective divided partial data D (1,1), D (1,2), D (2,1), The process of generating D (2,2), D (3,1), and D (3,2) and the general form of the definition formula will be described.

  First, for the first divided data D (1), the first divided partial data D (1,1) is defined by the above-described definition formula S (1) * R (1) * R (2). Then, the second divided partial data D (1, 2) is defined by the definition formula S (2) * R (1) * R (2). The general form of this defining formula is S (j) * R (j) * R (j + 1) for D (1, j), and for D (1, j + 1) S (j + 1) * R (j) * R (j + 1) (j is an odd number). When calculated according to the definition formula, D (1,1) is 00110110 and D (1,2) is 10110011, so D (1) is 00100110 10110011. The general form of the defining formula is shown collectively in FIG.

  For the second divided data D (2), D (2,1) is defined by S (1) * R (1), and D (2,2) is S (2) * R ( Defined in 2). The general form of this definition is S (j) * R (j) for D (2, j) and S (j + 1) * R for D (2, j + 1) (j + 1) (j is an odd number). When calculated according to the definition formula, D (2,1) becomes 00000011 and D (2,2) becomes 00000010, so D (2) is 00000011 00000010.

  Further, for the third divided data D (3), D (3,1) is defined by R (1) and D (3,2) is defined by R (2). The general form of this definition is R (j) for D (3, j) and R (j + 1) for D (3, j + 1) (j is an odd number) To do). When calculated according to the definition formula, D (3,1) is 10110001, D (3,2) is 00110101, and D (3) is 10110001 00110101.

  In the above description, the length of S, R, D (1), D (2), D (3) is 16 bits. Even from the original data S, the divided data D (1), D (2), and D (3) can be generated. In addition, the processing unit bit length b can be arbitrarily set, and the original data having an arbitrary length, specifically, processing is performed by repeating the above division processing for each length of b × 2 in order from the top of the original data S. The present invention can be applied to original data having an integral multiple of the unit bit length b × 2. If the length of the original data S is not an integral multiple of the processing unit bit length b × 2, for example, the length of the original data S is set to the processing unit bit length b × 2 by filling the end portion of the data with 0, for example. The division processing of this embodiment described above can be applied by adjusting to an integral multiple of.

  Next, processing for restoring original data from divided data will be described with reference to the table shown on the right side of FIG. This explains the function of the original data restoration unit 13 of the confidential information management system 1.

  First, the confidential information management system 1 is requested to restore the original data S. The confidential information management system 1 acquires the divided data D (1), D (2), D (3) from the storage server 3 and the terminal 2, and the acquired divided data D (1), D (2), D The original data S is restored from (3) as follows.

  First, the first original partial data S (1) can be generated from the divided partial data D (2,1) and D (3,1) as follows.

D (2,1) * D (3,1) = (S (1) * R (1)) * R (1)
= S (1) * (R (1) * R (1))
= S (1) * 0
= S (1)
Specifically, since D (2,1) is 00000011 and D (3,1) is 10110001, S (1) is 10110010.

  Further, the second original partial data S (2) can be generated from the other divided partial data as follows.

D (2,2) * D (3,2) = (S (2) * R (2)) * R (2)
= S (2) * (R (2) * R (2))
= S (2) * 0
= S (2)
Specifically, since D (2,2) is 00000010 and D (3,2) is 00110101, S (2) is 00110111.

In general, let j be an odd number
D (2, j) * D (3, j) = (S (j) * R (j)) * R (j)
= S (j) * (R (j) * R (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D (2, j) * D (3, j).

In general, j is an odd number,
D (2, j + 1) * D (3, j + 1) = (S (j + 1) * R (j + 1)) * R (j + 1)
= S (j + 1) * (R (j + 1) * R (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D (2, j + 1) * D (3, j + 1).

  Next, when acquiring D (1) and D (3) and restoring S, it is as follows.

D (1,1) * D (3,1) * D (3,2) = (S (1) * R (1) * R (2)) * R (1) * R (2) = S ( 1) * (R (1) * R (1)) * (R (2) * R (2))
= S (1) * 0 * 0
= S (1)
Therefore, S (1) can be obtained by calculating D (1,1) * D (3,1) * D (3,2). Specifically, since D (1,1) is 00110110, D (3,1) is 1010001, and D (3,2) is 0110101, S (1) is 10110010.

Similarly,
D (1,2) * D (3,1) * D (3,2) = (S (2) * R (1) * R (2)) * R (1) * R (2)
= S (2) * (R (1) * R (1)) * (R (2) * R (2))
= S (2) * 0 * 0
= S (2)
Therefore, S (2) can be obtained by calculating D (1,2) * D (3,1) * D (3,2). Specifically, since D (1,2) is 10110011, D (3,1) is 10110001, and D (3,2) is 00110101, S (2) is 00110111.

In general, let j be an odd number
D (1, j) * D (3, j) * D (3, j + 1) = (S (j) * R (j) * R (j + 1)) * R (j) * R (j +1)
= S (j) * (R (j) * R (j)) * (R (j + 1) * R (j + 1))
= S (j) * 0 * 0
= S (j)
Therefore, S (j) can be obtained by calculating D (1, j) * D (3, j) * D (3, j + 1).

In general, j is an odd number,
D (1, j + 1) * D (3, j) * D (3, j + 1) = (S (j + 1) * R (j) * R (j + 1)) * R (j) * R (j + 1)
= S (j + 1) * (R (j) * R (j)) * (R (j + 1) * R (j + 1))
= S (j + 1) * 0 * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D (1, j + 1) * D (3, j) * D (3, j + 1).

  Next, when acquiring D (1) and D (2) and restoring S, it is as follows.

D (1,1) * D (2,1) = (S (1) * R (1) * R (2)) * (S (1) * R (1))
= (S (1) * S (1)) * (R (1) * R (1)) * R (2)
= 0 * 0 * R (2)
= R (2)
Therefore, R (2) is obtained by calculating D (1,1) * D (2,1). Specifically, since D (1,1) is 00110110 and D (2,1) is 00000011, R (2) is 00110101.

Similarly,
D (1,2) * D (2,2) = (S (2) * R (1) * R (2)) * (S (2) * R (2))
= (S (2) * S (2)) * R (1) * (R (2) * R (2))
= 0 * R (1) * 0
= R (1)
Therefore, R (1) is obtained by calculating D (1,2) * D (2,2). Specifically, since D (1,2) is 10110011 and D (2,2) is 00000010, R (1) is 10110001.

  Using these R (1) and R (2), S (1) and S (2) are obtained.

D (2,1) * R (1) = (S (1) * R (1)) * R (1)
= S (1) * (R (1) * R (1))
= S (1) * 0
= S (1)
Therefore, S (1) can be obtained by calculating D (2,1) * R (1). Specifically, since D (2,1) is 00000011 and R (1) is 10110001, S (1) is 10110010.

Similarly,
D (2,2) * R (2) = (S (2) * R (2)) * R (2)
= S (2) * (R (2) * R (2))
= S (2) * 0
= S (2)
Therefore, S (2) can be obtained by calculating D (2,2) * R (2). Specifically, since D (2,2) is 00000010 and R (2) is 00110101, S (2) is 00110111.

In general, let j be an odd number
D (1, j) * D (2, j) = (S (j) * R (j) * R (j + 1)) * (S (j) * R (j))
= (S (j) * S (j)) * (R (j) * R (j)) * R (j + 1)
= 0 * 0 * R (j + 1)
= R (j + 1)
Therefore, R (j + 1) can be obtained by calculating D (1, j) * D (2, j).

Similarly,
D (1, j + 1) * D (2, j + 1) = (S (j + 1) * R (j) * R (j + 1)) * (S (j + 1) * R (j +1))
= (S (j + 1) * S (j + 1)) * R (j) * (R (j + 1) * R (j + 1))
= 0 * R (j) * 0
= R (j)
Therefore, R (j) can be obtained by calculating D (1, j + 1) * D (2, j + 1).

  Using these R (j) and R (j + 1), S (j) and S (j + 1) are obtained.

D (2, j) * R (j) = (S (j) * R (j)) * R (j)
= S (j) * (R (j) * R (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D (2, j) * R (j).

Similarly,
D (2, j + 1) * R (j + 1) = (S (j + 1) * R (j + 1)) * R (j + 1)
= S (j + 1) * (R (j + 1) * R (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) is obtained by calculating D (2, j + 1) * R (j + 1).

  As described above, when the divided data is repeatedly generated from the beginning of the original data based on the processing unit bit length b to generate divided data, the three divided data D (1), D (2), D ( Even if not all of 3) is used, the original data can be restored as described above using two divided data of the three divided data.

  As another method of the present invention, the original data can be divided by using a random number R having a bit length shorter than that of the original data S.

  That is, the random number R described above is data having the same bit length as S, D (1), D (2), D (3), but the random number R is shorter than the bit length of the original data S, and the divided data D This short bit length random number R is repeatedly used to generate (1), D (2), and D (3).

  In the confidential information management system 1 according to the present embodiment, since the three divided data D (1), D (2), and D (3) are generated, the number of divisions is three. However, the secret sharing method A can be applied even when the number of divisions is n.

  Next, a general division process when the number of divisions is n and the processing unit bit length is b will be described with reference to the flowchart shown in FIG.

  First, the original data S is given to the confidential information management system 1 (step S401). In addition, the confidential information management system 1 is instructed for the division number n (an arbitrary integer satisfying n ≧ 3) (step S403). The processing unit bit length b is determined (step S405). Note that b is an arbitrary integer greater than 0. Next, it is determined whether or not the bit length of the original data S is an integer multiple of b × (n−1). If it is not an integer multiple, the end of the original data S is filled with 0 (step S407). Further, a variable m meaning an integer multiple is set to 0 (step S409).

  Next, it is determined whether or not there is data of b × (n−1) bits from the b × (n−1) × m + 1 bit of the original data S (step S411). As a result of this determination, if there is no data, the process proceeds to step S421. However, in this case, since the variable m is set to 0 in step S409, the data exists, so step S413. Proceed to

  In step S413, the variable j is changed from 1 to n-1, and b bits ((n-1) × m + j-1) +1 bit data of the original data S is converted into the original partial data S. ((n-1) × m + j) is repeated, whereby (n-1) pieces of original partial data S (1), S (2 ),... S (n-1) is generated.

  Next, the variable j is changed from 1 to n-1, and a random number of the processing unit bit length b generated from the random number generator 15 is set in the random number partial data R ((n-1) × m + j). Thus, n-1 random number partial data R (1), R (2),... R (n-1) obtained by dividing the random number R by the processing unit bit length b are generated (step S415).

  Next, in step S417, while changing the variable i from 1 to n and further changing the variable j from 1 to n-1 in each variable i, a plurality of definition expressions for generating the divided data shown in step S417 are used. Each divided partial data D (i, (n−1) × m + j) constituting each of the divided data D (i) is generated. As a result, the following divided data D is generated.

Split data D
= n pieces of divided data D (i) = D (1), D (2), ... D (n)
First divided data D (1)
= n-1 divided partial data D (1, j) = D (1,1), D (1,2), ... D (1, n-1)
Second divided data D (2)
= n-1 divided partial data D (2, j) = D (2,1), D (2,2), ... D (2, n-1)
………
………
N-th divided data D (n)
= n-1 divided partial data D (n, j) = D (n, 1), D (n, 2), ... D (n, n-1)
In this way, after generating the divided data D for the variable m = 0, the variable m is then incremented by 1 (step S419), and the process returns to step S411 to return b × (n of the original data S corresponding to the variable m = 1. -1) Similar division processing is performed for the bits after the bit. Finally, if there is no data in the original data S as a result of the determination in step S411, the process proceeds from step S411 to step S421, and the divided data D (1),..., D (n) generated as described above are stored in the storage server 3. Then, the data is stored in the terminal 2 and the dividing process is terminated.

  In the embodiment described above, the random number component may be lost by performing an operation between the partial data constituting only the divided data. That is, for example, in the case of three divisions, each divided partial data is defined as follows.

D (1,1) = S (1) * R (1) * R (2), D (1,2) = S (2) * R (1) * R (2),…
D (2,1) = S (1) * R (1), D (2,2) = S (2) * R (2),…
D (3,1) = R (1), D (3,2) = R (2),…
Looking at D (1), for example, if D (1,1) and D (1,2) can be acquired,
D (1,1) * D (1,2) = (S (1) * R (1) * R (2)) * (S (2) * R (1) * R (2))
= S (1) * S (2) * ((R (1) * R (1)) * ((R (2) * R (2))
= S (1) * S (2) * 0 * 0
= S (1) * S (2)
It becomes. In general, D (1, j) * D (1, j + 1) = S (j) * S (j + 1). Here, j is j = 2 × m + 1, and m is an arbitrary integer satisfying m ≧ 0.

  D (1,1) and D (1,2) are generated by the calculation of the original data and random numbers based on the above definition. However, although the contents of the original data are not known, S (1) * S (2) is calculated by calculating D (1,1) * D (1,2). This is not the original data itself, but does not include a random number component.

  If the random component is lost in this way, for each original partial data, for example, if part of S (2) is known, part of S (1) can be restored, so it is not safe. Conceivable. For example, the original data is data according to a standardized data format, and S (2) includes header information and padding (for example, a part of the data area padded with 0), etc. If it is a part, it includes keywords specific to these data formats, fixed character strings, and the like, so the contents can be predicted. Further, a part of S (1) can be restored from the known part of S (2) and the value of S (1) * S (2).

  The method for solving this problem is as follows. D (1, j + 1) and D (2, j + 1) in FIG. 6 are obtained by replacing D (1, j + 1) and D (2, j + 1) in FIG. Here, j is j = 2 × m + 1, and m is an arbitrary integer satisfying m ≧ 0.

In this case, with only the individual divided data, the random number component is not lost even if the calculation is performed between the divided partial data constituting the divided data. This is from FIG.
D (1, j) * D (1, j + 1) = (S (j) * R (j) * R (j + 1)) * (S (j + 1) * R (j + 1))
= S (j) * S (j + 1) * R (j) * ((R (j + 1) * R (j + 1))
= S (j) * S (j + 1) * R (j) * 0
= S (j) * S (j + 1) * R (j)
D (2, j) * D (2, j + 1) = (S (j) * R (j)) * (S (j + 1) * R (j) * R (j + 1))
= S (j) * S (j + 1) * (R (j) * R (j)) * R (j + 1))
= S (j) * S (j + 1) * 0 * R (j + 1)
= S (j) * S (j + 1) * R (j + 1)
D (3, j) * D (3, j + 1) = R (j) * R (j + 1)
Because it becomes.

  In this case, the characteristic that the original data can be restored from two of the three divided data is not lost. This is because when D (1) and D (2) are acquired and S is restored, D (1) and D (2) in FIG. 6 are D (1) and D (2) in FIG. Is simply a replacement of the divided part data, so the original data can obviously be restored from these, and D (1) and D (3) or D (2) and D (3) When acquiring and restoring S, since D (3) is divided data consisting only of random numbers, it is exclusive with the required number of random numbers for each divided partial data of D (1) or D (2). This is because the original data can be restored by erasing the random number portion by performing a logical OR operation.

  Next, a re-division process for generating new division data (re-division data) by giving a random number to the division data once divided will be described. This explains the function of the re-divided data generation unit 14 of the confidential information management system 1 when the divided data held by the user is lost. In this case as well, the case where the number of divisions is 3 will be described as an example. To do. In addition, since there are two methods for the re-division processing in the present embodiment, each will be described below.

(Random number additional injection method)
FIG. 7 is a flowchart for explaining an outline of data re-division processing in the random number additional injection method. According to the figure, first, the divided data D (1), D (2), D (3) are acquired (step S501), and then the random number generator 13 generates a random number R ′ to be used for re-division. (Step S503).

  Next, a random number R 'is injected into each of the divided data D (1), D (2), and D (3) according to a predetermined rule (step S505). This is based on the rule described later, and exclusive OR of the divided part data of the divided data D (1), D (2), D (3) and the random number part data of the random number R ′ is performed, and the new divided data D '(1), D' (2), D '(3) is generated (step S507).

  FIG. 8 shows a definition formula of divided partial data when the original data S is divided into three with the division number n = 3 based on the processing unit bit length b that is half the length of the original data, and the division after reinjection of random numbers It is a table | surface which shows the definition formula of partial data, the calculation formula in the case of decompress | restoring original data from each division | segmentation partial data, etc.

  Here, the definition formula of the divided partial data D (i, j) will be described.

  First, as shown in FIG. 6, for the first divided data D (1), the first divided partial data D (1,1) is defined as S (1) * R (1) * R. The second divided partial data D (1, 2) is defined by the definition formula S (2) * R (2). The general form of this defining formula is S (j) * R (j) * R (j + 1) for D (1, j), and for D (1, j + 1) S (j + 1) * R (j + 1) (j is an odd number).

  For the second divided data D (2), as shown in FIG. 6, D (2,1) is defined by S (1) * R (1), and D (2,2) is Defined by S (2) * R (1) * R (2). The general form of this definition is S (j) * R (j) for D (2, j) and S (j + 1) * R for D (2, j + 1) (j) * R (j + 1) (j is an odd number).

  Furthermore, for the third divided data D (3), as shown in FIG. 6, D (3,1) is defined by R (1) and D (3,2) is defined by R (2). Is done. The general form of this definition is R (j) for D (3, j) and R (j + 1) for D (3, j + 1) (j is an odd number) To do).

  Next, the definition formula of the divided partial data D ′ (i, j) after the new random number R ′ is injected will be described.

  First, as shown in FIG. 8, for the first divided data D ′ (1), the first divided partial data D ′ (1,1) is defined by the definition formula D (1,1) * R ′. (1) * R '(2), that is, S (1) * R (1) * R (2) * R' (1) * R '(2) (1,2) is defined by the definition formula D (1,2) * R ′ (2), that is, S (2) * R (2) * R ′ (2). Note that the general form of this defining formula is D (1, j) * R '(j) * R' (j + 1) for D '(1, j), and D' (1, j +1) is D (1, j + 1) * R ′ (j + 1) (j is an odd number).

  For the second divided data D ′ (2), as shown in FIG. 8, D ′ (2,1) is D (2,1) * R ′ (1), that is, S (1 ) * R (1) * R '(1) and D' (2,2) is D (2,2) * R '(1) * R' (2), that is, S (2) * R (1) * R (2) * R '(1) * R' (2) is defined. The general form of this definition is D (2, j) * R '(j) for D' (2, j) and D (2 for D '(2, j + 1) , j + 1) * R ′ (j) * R ′ (j + 1) (j is an odd number).

  For the third divided data D ′ (3), as shown in FIG. 8, D ′ (3,1) is D (3,1) * R ′ (1), that is, R (1 ) * R ′ (1) and D ′ (3,2) is defined by D (3,2) * R ′ (2), that is, R (2) * R ′ (2). The general form of this definition is D (3, j) * R '(j) * for D' (3, j) and D (3, j + 1) for D '(3, j + 1). 3, j + 1) * R ′ (j + 1) (j is an odd number).

  In this way, the re-partitioned partial data D ′ (i, j) is respectively random number partial data R that has been injected into the divided partial data D (i, j) by the definition formula of the divided partial data D (i, j). This is obtained by injecting random number partial data R ′ (j) corresponding to (j) and calculating exclusive OR.

  In addition, when the divided data held by the user is lost, any one of the above-mentioned divided data D (1), D (2), D (3) is lost. With respect to, it is necessary to restore from the remaining two divided data, and then generate re-divided data. Here, a method for generating lost divided data from the remaining two divided data will be described.

First, a case where the divided data D (3) is lost and the divided data D (3) is generated from the divided data D (1) and D (2) will be described. Specifically, in the example of FIG.
D (1,1) * D (2,1) = ((S (1) * R (1) * R (2)) * (S (1) * R (1))
= R (2) * (S (1) * S (1)) * (R (1) * R (1))
= R (2)
D (1,2) * D (2,2) = ((S (2) * R (2)) * (S (2) * R (1) * R (2))
= R (1) * (S (2) * S (2)) * (R (2) * R (2))
= R (1)
And D (3,1) = R (1), D (3,2) = R (2), so D (1,1) * D (2,1) and D (1, 2) * Divided data D (3) can be generated from D (2,2).

In the case where the divided data D (1) is lost and the divided data D (1) is generated from the divided data D (2), D (3),
D (1,1) = D (2,1) * R (2)
D (1,2) = D (2,2) * R (1)
And D (3,1) = R (1), D (3,2) = R (2), so D (2,1) * R (2) and D (2,2) The divided data D (1) can be generated from * R (1).

In addition, when the divided data D (2) is lost and the divided data D (2) is generated from the divided data D (1), D (3),
D (2,1) = D (1,1) * R (2)
D (2,2) = D (1,2) * R (1)
Since D (3,1) = R (1) and D (3,2) = R (2), the divided data D (1), D (3) to the divided data D (2) Can be generated.

  Next, a process for restoring the original data from the repartitioned data will be described with reference to the table shown on the right side of FIG. This explains the function of the original data restoration unit 12 of the confidential information management system 1 when the service is used after the user receives the re-divided data.

  First, the first original partial data S (1) can be generated from the divided partial data D ′ (2,1), D ′ (3,1) as follows.

D '(2,1) * D' (3,1) = (S (1) * R (1) * R '(1)) * (R (1) * R' (1))
= S (1) * (R (1) * R (1)) * (R '(1) * R' (1))
= S (1) * 0 * 0
= S (1)
Further, the second original partial data S (2) can be generated from the other divided partial data as follows.

D '(2,2) * D' (3,1) * D '(3,2) = (S (2) * R (1) * R (2) * R' (1) * R '(2 )) *
(R (1) * R '(1)) * (R (2) * R' (2))
= S (2) * (R (1) * R (1)) * (R (2) * R (2)) *
(R '(1) * R' (1)) * (R '(2) * R' (2))
= S (2) * 0 * 0 * 0 * 0
= S (2)
In general, let j be an odd number
D '(2, j) * D' (3, j) = (S (j) * R (j) * R '(j)) * (R (j) * R' (j))
= S (j) * (R (j) * R (j)) * (R '(j) * R' (j))
= S (j) * 0 * 0
= S (j)
Therefore, S (j) can be obtained by calculating D ′ (2, j) * D ′ (3, j).

In general, j is an odd number,
D '(2, j + 1) * D' (3, j) * D '(3, j + 1) = (S (j + 1) * R (j) * R (j + 1) * R' (j) * R '(j + 1)) *
(R (j) * R '(j)) * (R (j + 1) * R' (j + 1))
= S (j + 1) * ((R (j) * R (j)) * (R (j + 1) * R (j + 1)) *
* (R '(j) * R' (j)) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0 * 0 * 0 * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (2, j + 1) * D ′ (3, j) * D ′ (3, j + 1).

  Next, when D ′ (1) and D ′ (3) are acquired and S is restored, it is as follows.

D '(1,1) * D' (3,1) * D '(3,2) = (S (1) * R (1) * R (2) * R' (1) * R '(2 )) *
(R (1) * R '(1)) * (R (2) * R' (2))
= S (1) * (R (1) * R (1)) * (R (2) * R (2)) *
(R '(1) * R' (1)) * (R '(2) * R' (2))
= S (1) * 0 * 0 * 0 * 0
= S (1)
Therefore, S (1) can be obtained by calculating D ′ (1,1) * D ′ (3,1) * D ′ (3,2).

Similarly,
D '(1,2) * D' (3,2) = (S (2) * R (2) * R '(2)) * (R (2) * R' (2))
= S (2) * (R (2) * R (2)) * (R '(2) * R' (2))
= S (2) * 0 * 0
= S (2)
Therefore, S (2) can be obtained by calculating D '(1,2) * D' (3,2).

In general, let j be an odd number
D '(1, j) * D' (3, j) * D '(3, j + 1) = (S (j) * R (j) * R (j + 1) * R' (j) * R '(j + 1)) *
(R (j) * R '(j)) * (R (j + 1) * R' (j + 1))
= S (j) * (R (j) * R (j)) * (R (j + 1) * R (j + 1)) *
(R '(j) * R' (j)) * (R '(j + 1) * R' (j + 1))
= S (j) * 0 * 0 * 0 * 0
= S (j)
Therefore, S (j) can be obtained by calculating D ′ (1, j) * D ′ (3, j) * D ′ (3, j + 1).

In general, j is an odd number,
D '(1, j + 1) * D' (3, j + 1) = (S (j + 1) * R (j + 1) * R '(j + 1)) * (R (j + 1 ) * R '(j + 1))
= S (j + 1) * (R (j + 1) * R (j + 1)) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0 * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (1, j + 1) * D ′ (3, j + 1).

  Next, when D ′ (1) and D ′ (2) are acquired and S is restored, it is as follows.

D '(1,1) * D' (2,1) = (S (1) * R (1) * R (2) * R '(1) * R' (2)) * (S (1) * R (1) * R '(1))
= (S (1) * S (1)) * (R (1) * R (1)) * (R '(1) * R' (1)) * R (2) * R '(2)
= 0 * 0 * 0 * R (2) * R '(2)
= R (2) * R '(2)
Therefore, by calculating D ′ (1,1) * D ′ (2,1), R (2) * R ′ (2) can be obtained.

Similarly,
D '(1,2) * D' (2,2) = (S (2) * R (2) * R '(2)) * (S (2) * R (1) * R (2) * R '(1) * R' (2))
= (S (2) * S (2)) * R (1) * R '(1) * (R (2) * R (2)) * (R' (2) * R '(2))
= 0 * R (1) * R '(1) * 0 * 0
= R (1) * R '(1)
Therefore, if D ′ (1,2) * D ′ (2,2) is calculated, R (1) * R ′ (1) is obtained.

  Using these R (1) * R ′ (1) and R (2) * R ′ (2), S (1) and S (2) are obtained.

D '(2,1) * R (1) * R' (1) = (S (1) * R (1) * R '(1)) * R (1) * R' (1)
= S (1) * (R (1) * R (1)) * (R '(1) * R' (1))
= S (1) * 0 * 0
= S (1)
Therefore, S (1) can be obtained by calculating D ′ (2,1) * R (1) * R ′ (1).

Similarly,
D '(1,2) * R (2) * R' (2) = (S (2) * R (2) * R '(2)) * R (2) * R' (2)
= S (2) * (R (2) * R (2)) * (R '(2) * R' (2))
= S (2) * 0 * 0
= S (2)
Therefore, S (2) can be obtained by calculating D '(2,2) * R (2) * R' (2).

In general, let j be an odd number
D '(1, j) * D' (2, j) = (S (j) * R (j) * R (j + 1) * R '(j) * R' (j + 1)) * ( S (j) * R (j) * R '(j))
= (S (j) * S (j)) * (R (j) * R (j)) * (R '(j) * R' (j)) * R (j + 1) * R '(j +1)
= 0 * 0 * 0 * R (j + 1) * R '(j + 1)
= R (j + 1) * R '(j + 1)
Therefore, if D ′ (1, j) * D ′ (2, j) is calculated, R (j + 1) * R ′ (j + 1) is obtained.

Similarly,
D '(1, j + 1) * D' (2, j + 1) = (S (j + 1) * R (j + 1) * R '(j + 1)) *
(S (j + 1) * R (j) * R (j + 1) * R '(j) * R' (j + 1))
= (S (j + 1) * S (j + 1)) * R (j) * R '(j) *
(R (j + 1) * R (j + 1)) * (R '(j + 1) * R' (j + 1))
= 0 * R (j) * R '(j) * 0 * 0
= R (j) * R '(j)
Therefore, if D ′ (1, j + 1) * D ′ (2, j + 1) is calculated, R (j) * R ′ (j) is obtained.

  Using these R (j) * R ′ (j) and R (j + 1) * R ′ (j + 1), S (j) and S (j + 1) are obtained.

D '(2, j) * R (j) * R' (j) = (S (j) * R (j) * R '(j)) * R (j) * R' (j)
= S (j) * (R (j) * R (j)) * (R '(j) * R' (j))
= S (j) * 0 * 0
= S (j)
Therefore, S (j) can be obtained by calculating D '(2, j) * R (j) * R' (j).

Similarly,
D '(1, j + 1) * R (j + 1) * R' (j + 1) = (S (j + 1) * R (j + 1) * R '(j + 1)) * R (j + 1) * R '(j + 1)
= S (j + 1) * (R (j + 1) * R (j + 1)) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0 * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (1, j + 1) * R (j + 1) * R ′ (j + 1).

  As described above, when subdivision data is generated by the random number additional injection method, three subdivision data D ′ (1), D ′ (2), and D ′ (3) are not used without using all three subdivision data. Of the divided data, the original data can be restored as described above using two re-divided data.

  In addition, in the random number additional injection method, the data can be re-divided without restoring the original data (the original data does not appear in a visible form), so that more secure data management is possible.

(Random number rewriting method)
FIG. 9 is a flowchart for explaining an outline of data re-division processing in the random number rewriting method. According to the figure, first, the divided data D (1), D (2), D (3) are acquired (step S601), and then the random number generator 13 generates a random number R ′ for use in re-division. (Step S603).

  Next, a random number R ′ is injected into each of the divided data D (1), D (2), and D (3) by the random number additional injection method described above (step S605). Next, R, which is an old random number, is deleted from the divided data into which the random number R ′ has been injected, and new re-divided data D ′ (1), D ′ (2), D ′ (3) are generated (step) S607, S609).

  FIG. 10 shows a divided partial data definition formula when the original data S is divided into three with a division number n = 3 based on the processing unit bit length b which is half the length of the original data, after reinjection of the random number R ′. 4 is a table showing a definition formula of the divided partial data, a definition formula of the divided partial data after erasing the random number R, a calculation formula when restoring the original data from each divided partial data, and the like.

  Since this method is the same as the random number additional injection method described above up to step S605, the description is omitted, and the definition formula of the divided partial data from which the old random number R is deleted will be described.

  First, for the first divided data D ′ (1), as shown in FIG. 10, the first divided partial data D ′ (1,1) is defined by the definition formula (S (1) * R (1 ) * R (2) * R '(1) * R' (2)) * (R (1) * R (2)), that is, S (1) * R '(1) * R' (2) The second divided partial data D ′ (1, 2) is defined by the definition formula (S (2) * R (2) * R ′ (2)) * R (2), that is, S (2) * R '(2) is defined. The general form of this defining formula is S (j) * R '(j) * R' (j + 1) for D '(1, j), and D' (1, j + 1 ) Is S (j + 1) * R ′ (j + 1) (j is an odd number).

  For the second divided data D ′ (2), as shown in FIG. 10, D ′ (2,1) is (S (1) * R (1) * R ′ (1)) *. R (1), that is, S (1) * R '(1), and D' (2,2) is defined as (S (2) * R (1) * R (2) * R '(1) * R ′ (2)) * R (1) * R (2), that is, S (2) * R ′ (1) * R ′ (2). The general form of this definition is S (j) * R '(j) * for D' (2, j) and S (j + 1) for D (2, j + 1) ) * R ′ (j) * R ′ (j + 1) (j is an odd number).

  For the third divided data D ′ (3), as shown in FIG. 10, D ′ (3,1) is (R (1) * R ′ (1)) * R (1), That is, R ′ (1) is defined, and D ′ (3,2) is defined by (R (2) * R ′ (2)) * R (2), that is, R ′ (2). The general form of this definition is R '(j) * for D' (3, j) and R '(j + 1) for D (3, j + 1) ( j is an odd number).

  In this way, the re-partitioned partial data D ′ (i, j) is respectively random number partial data R that has been injected into the divided partial data D (i, j) by the definition formula of the divided partial data D (i, j). After injecting random number partial data R '(j) corresponding to (j), inject random number partial data R (j) so as to erase random number partial data R (j) and calculate exclusive OR. , What you want.

  As a result, in the definition formula of the original divided partial data D (i, j), the random partial data R (j) replaced with the random partial data R ′ (j) is the re-divided partial data D ′ (i , j).

  Next, a process for restoring the original data from the repartitioned data will be described with reference to the table shown on the right side of FIG. This explains the function of the original data restoration unit 12 of the confidential information management system 1 when the service is used after the user receives the re-divided data.

  First, the first original partial data S (1) can be generated from the divided partial data D ′ (2,1), D ′ (3,1) as follows.

D '(2,1) * D' (3,1) = (S (1) * R '(1)) * R' (1)
= S (1) * (R '(1) * R' (1))
= S (1) * 0
= S (1)
Further, the second original partial data S (2) can be generated from the other divided partial data as follows.

D '(2,2) * D' (3,1) * D '(3,2) = (S (2) * R' (1) * R '(2)) * R' (1) * R '(2)
= S (2) * (R '(1) * R' (1)) * (R '(2) * R' (2))
= S (2) * 0 * 0
= S (2)
In general, let j be an odd number
D '(2, j) * D' (3, j) = (S (j) * R '(j)) * R' (j)
= S (j) * (R '(j) * R' (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D ′ (2, j) * D ′ (3, j).

In general, j is an odd number,
D '(2, j + 1) * D' (3, j) * D '(3, j + 1) = (S (j + 1) * R' (j) * R '(j + 1)) * R '(j) * R' (j + 1)
= S (j + 1) * (R '(j) * R' (j)) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0 * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (2, j + 1) * D ′ (3, j) * D ′ (3, j + 1).

  Next, when D ′ (1) and D ′ (3) are acquired and S is restored, it is as follows.

D '(1,1) * D' (3,1) * D '(3,2) = (S (1) * R' (1) * R '(2)) * R' (1) * R '(2)
= S (1) * (R '(1) * R' (1)) * (R '(2) * R' (2))
= S (1) * 0 * 0
= S (1)
Therefore, S (1) can be obtained by calculating D ′ (1,1) * D ′ (3,1) * D ′ (3,2).

Similarly,
D '(1,2) * D' (3,2) = (S (2) * R '(2)) * R' (2)
= S (2) * (R '(2) * R' (2))
= S (2) * 0
= S (2)
Therefore, S (2) can be obtained by calculating D '(1,2) * D' (3,2).

In general, let j be an odd number
D '(1, j) * D' (3, j) * D '(3, j + 1) = (S (j) * R' (j) * R '(j + 1)) * R' ( j) * R '(j + 1)
= S (j) * (R '(j) * R' (j)) * (R '(j + 1) * R' (j + 1))
= S (j) * 0 * 0
= S (j)
Therefore, S (j) can be obtained by calculating D ′ (1, j) * D ′ (3, j) * D ′ (3, j + 1).

In general, j is an odd number,
D '(1, j + 1) * D' (3, j + 1) = (S (j + 1) * R '(j + 1)) * R' (j + 1)
= S (j + 1) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (1, j + 1) * D ′ (3, j + 1).

  Next, when D ′ (1) and D ′ (2) are acquired and S is restored, it is as follows.

D '(1,1) * D' (2,1) = (S (1) * R '(1) * R' (2)) * (S (1) * R '(1))
= (S (1) * S (1)) * (R '(1) * R' (1)) * R '(2)
= 0 * 0 * R '(2)
= R '(2)
Therefore, R ′ (2) can be obtained by calculating D ′ (1,1) * D ′ (2,1).

Similarly,
D '(1,2) * D' (2,2) = (S (2) * R '(2)) * (S (2) * R' (1) * R '(2))
= (S (2) * S (2)) * (R '(2) * R' (2)) * R '(1)
= 0 * 0 * R '(1)
= R '(1)
Therefore, R ′ (1) can be obtained by calculating D ′ (1,2) * D ′ (2,2).

  Using these R ′ (1) and R ′ (2), S (1) and S (2) are obtained.

D '(2,1) * R' (1) = (S (1) * R '(1)) * R' (1)
= S (1) * (R '(1) * R' (1))
= S (1) * 0
= S (1)
Therefore, S (1) can be obtained by calculating D ′ (2,1) * R ′ (1).

Similarly,
D '(1,2) * R' (2) = (S (2) * R '(2)) * R' (2)
= S (2) * (R '(2) * R' (2))
= S (2) * 0
= S (2)
Therefore, S (2) can be obtained by calculating D '(1,2) * R' (2).

In general, let j be an odd number
D '(1, j) * D' (2, j) = (S (j) * R '(j) * R' (j + 1)) * (S (j) * R '(j))
= (S (j) * S (j)) * (R '(j) * R' (j)) * R '(j + 1)
= 0 * 0 * R '(j + 1)
= R '(j + 1)
Therefore, R ′ (j + 1) can be obtained by calculating D ′ (1, j) * D ′ (2, j).

Similarly,
D '(1, j + 1) * D' (2, j + 1) = (S (j + 1) * R '(j + 1)) * (S (j + 1) * R' (j) * R '(j + 1))
= (S (j + 1) * S (j + 1)) * (R '(j + 1) * R' (j + 1)) * R '(j)
= 0 * 0 * R '(j)
= R '(j)
Therefore, R ′ (j) can be obtained by calculating D ′ (1, j + 1) * D ′ (2, j + 1).

  Using these R ′ (j) and R ′ (j + 1), S (j) and S (j + 1) are obtained.

D '(2, j) * R' (j) = (S (j) * R '(j)) * R' (j)
= S (j) * (R '(j) * R' (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D '(2, j) * R' (j).

Similarly,
D '(1, j + 1) * R' (j + 1) = (S (j + 1) * R '(j + 1)) * R' (j + 1)
= S (j + 1) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (1, j + 1) * R ′ (j + 1).

  As described above, when subdivision data is generated by the random number rewriting method, three subdivisions can be performed without using all three subdivision data D ′ (1), D ′ (2), and D ′ (3). Of the data, the original data can be restored as described above by using two subdivision data.

  Also in the random number rewriting method, the data can be re-divided without restoring the original data once (the original data does not appear in a visible form), so that more secure data management is possible.

<Operation>
Next, the operation of the entire computer system 10 to which the confidential information management system 1 according to the present embodiment is applied will be described. Here, FIG. 11 is a sequence diagram for explaining the operation of the user registering the confidential information S in the confidential information management system 1, and FIG. 12 shows the operation of the confidential information management system 1 when the user uses the service. FIG. 13 is a sequence diagram for explaining the operation of the confidential information management system 1 when the divided data D held by the user is lost.

(1) Confidential Information Registration Process First, the user transmits confidential information S from the terminal 2 to the confidential information management system 1 via the communication network 4 (step S10). Upon receiving the confidential information S, the confidential information system 1 divides it into three data (divided data) D (1), D (2), D (3) using the secret sharing method A described above (step S20). .

  Next, the confidential information management system 1 transmits the divided data generated in this way to each of the storage servers 3a and 3b and the terminal 2 via the network 4 (step S30).

  Next, the storage servers 3a and 3b store the transmitted divided data D (1) and D (2), respectively, in a storage device such as a hard disk (step S40). The terminal 2 stores the transmitted divided data D (3) in a storage device such as a hard disk (step S50).

  As a result, even if any one of the divided data of the terminal 2 and the storage servers 3a and 3b is lost or destroyed, the original confidential information S can be restored from the remaining two divided data.

(2) Service use processing When the user uses the service providing system 5, first, the divided data D (3) held in the terminal 2 is transmitted to the confidential information management system 1 via the communication network (step S110). .

  Upon receiving the divided data D (3) from the terminal 2, the confidential information management system 1 requests the remaining divided data D (1) and D (2) from the storage servers 3a and 3b, and the divided data D (1). , D (2) are received (step S120).

  Next, the confidential information management system 1 restores the confidential information S using the secret sharing method A from any two of the divided data D (1), D (2), and D (3) (step S130). Then, the restored confidential information S is transmitted to the service provider 5 (step S140), and the fact that the confidential information S is restored and transmitted is generated as a use history (step S150).

  Upon receiving the confidential information S from the confidential information management system 1, the service providing system 5 determines the legitimacy of the confidential information S and provides the service to the terminal 2 via the communication network 4 (steps S160 and S170). . Thereby, the user can receive provision of a desired service.

(3) Processing when the divided data is lost When the user loses the divided data D (3) (for example, when the terminal 2 storing the divided data D (3) is lost), first, the confidential information management system 1 is notified (for example, telephone contact is made to the operator of the confidential information management system 1) (step S210).

  Thereby, the confidential information management system 1 requests the divided data from the storage servers 3a and 3b, and receives the divided data D (1) and D (2) from the storage servers 3a and 3b, respectively (step S220).

  Next, the confidential information management system 1 uses the secret sharing method A from the divided data D (1) and D (2) to newly add three data (subdivided data) D ′ (1) and D ′ (2 ), D ′ (3) is generated (step S240).

  Here, the re-divided data D ′ (1) and D ′ (2) are respectively generated from the divided data D (1) and D (2) according to the random number addition injection method or the random number rewriting method described above. . On the other hand, D ′ (3) first generates divided data D (3) from the divided data D (1) and D (2), and then the divided data D (3 (3) according to the random number addition injection method or the random number rewriting method. ) To generate D ′ (3).

  Next, the confidential information management system 1 loses the re-divided data generated in this way to each storage server 3a, 3b and terminal 2 (for example, the terminal 2 in which the user stores the divided data D (3) is lost. If so, the user transmits to the newly purchased terminal 2) via the network 4 (steps S250 and S260).

  Next, the storage servers 3a and 3b store the re-divided data D '(1) and D' (2) respectively transmitted to a storage device such as a hard disk (step S250). Further, the terminal 2 stores the transmitted divided data D ′ (3) in a storage device such as a hard disk (step S260). Thereby, the user can use the service again.

  Therefore, according to the present embodiment, the confidential information S required when receiving a predetermined service is divided into a plurality of pieces using the secret sharing method A, and a part of them is held by the user. Even if there is a loss of the divided data held by the data, the confidential information S can be restored from the remaining divided data, and the re-divided data is newly generated using the secret sharing method A, and a part of the re-divided data is Since it is newly held by the user, it is not necessary to change the confidential information S.

  As a result, even if the divided data held by the user is lost, it is possible to receive the service again only by reporting the loss without re-issuing the confidential information S.

  In particular, the secret sharing method according to the present invention is a data division method for dividing confidential information into divided data of a desired number of divisions based on a desired processing unit bit length. The secret information is divided into processing unit bit lengths. Generating a plurality of original part data, and corresponding to each of the plurality of original part data, a plurality of random part data having a processing unit bit length from a random number having a length equal to or shorter than the bit length of the confidential information. Generate and generate each divided part data constituting each divided data for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate divided data of a desired number of divisions and generate Confidential information can be restored from a predetermined number of pieces of divided data, and a plurality of random number partial data with a processing unit bit length is generated from newly generated random numbers , By generating the re-partitioned partial data for each processing unit bit length by exclusive OR of each divided partial data and the random number partial data, and generating the re-divided data of the desired number of divisions, Since the confidential information can be restored from a predetermined number of the re-divided data, the confidential information can be re-divided without restoring the confidential information.

Thereby, the confidential information of the user can be managed more securely.
Moreover, since the confidential information S cannot be restored even if a third party who acquired the lost divided data accesses the confidential information management system 1, the service cannot be used, and safety is ensured.

  Furthermore, since the user's usage history is stored in the confidential information management system 1, a third party temporarily acquires the confidential information S until the user declares that the divided data has been lost. Even if it is abused, the presence or absence of abuse can be determined from the usage history.

  Note that the secret sharing method A in the present embodiment does not require multi-precision integer arithmetic processing including polynomial arithmetic, remainder arithmetic, etc., so even when processing a large amount of large volume data, it is easy and quick. The effect that division and restoration can be performed can be obtained.

  As mentioned above, although embodiment of this invention has been described, various deformation | transformation and change can be performed with respect to embodiment of this invention in the range which does not deviate from the summary of this invention. For example, in the above embodiment, the confidential information S is transferred from the terminal 2 to the confidential information management system 1 via the communication network 4. However, the present invention is not limited to this. You may deliver the recorded recording medium via means other than the communication network 3, such as mail. Similarly, the divided data held by the user is also received via the communication network 4. However, the present invention is not limited to this. For example, a means other than the communication network 3 such as mailing a recording medium on which the divided data is recorded can be used. You may pass it through.

  In the above embodiment, when the user uses the service, the confidential information management system 1 restores the confidential information. However, the present invention is not limited to this, and the user's terminal 2 is stored in the terminal 2. From the data and the divided data acquired from the confidential information management system 1, the confidential information may be restored using the secret sharing method A, and the confidential information may be transmitted to the service providing system 5. In this case, if the user loses the terminal 2 while the restored confidential information is stored in the terminal 2, the problem to be solved by the present invention cannot be solved. It is necessary to provide a mechanism for erasing from the terminal 2 immediately after transmission to the system 5, or a mechanism for preventing unauthorized extraction of data of the terminal 2 by a third party.

  Furthermore, in the above-described embodiment, the re-division process is performed according to a request from the user. However, the confidential information management system 1 may voluntarily perform the re-division process at a predetermined opportunity.

It is a block diagram which shows schematic structure of the whole computer system with which the confidential information management system which concerns on embodiment of this invention is applied. It is a flowchart which shows the division | segmentation process in case the division | segmentation number n = 3 of the confidential information management system which concerns on embodiment of this invention. Each data and definition formula when 16-bit original data S is divided into three with a division number n = 3 based on the 8-bit processing unit bit length, and a calculation formula when restoring the original data from each divided partial data, etc. It is a table | surface which shows. It is a table | surface which shows the definition formula which produces | generates the division data, division | segmentation partial data, and each division | segmentation partial data in case division number n = 3. It is a flowchart which shows the general division | segmentation process in case the division | segmentation number of the confidential information management system which concerns on embodiment of this invention is n, and a process unit bit length is b. 12 is a table showing another example of definition data for generating divided data, divided partial data, and divided partial data when the number of divisions n = 3. It is a flowchart which shows the data re-division process (random number addition injection | pouring system) in the confidential information management system which concerns on embodiment of this invention. The original data S is re-divided with the division number n = 3 based on the processing unit bit length that is half the length of the original data S by the random number additional injection method. It is a table | surface which shows the calculation formula in the case of decompress | restoring. It is a flowchart which shows the data re-division process (random number rewriting system) in the confidential information management system which concerns on embodiment of this invention. Restore original data from each data, definition formula, and each divided partial data when re-dividing original data S with the number of divisions n = 3 based on the processing unit bit length that is half the length of the original data S by random number rewriting method It is a table | surface which shows the calculation formula in the case of doing. It is a sequence diagram explaining the process which registers confidential information in the confidential information management system which concerns on embodiment of this invention. It is a sequence diagram explaining the process at the time of service utilization in the confidential information management system which concerns on embodiment of this invention. It is a sequence diagram explaining a process when a part of confidential information which a user hold | maintains is lost in the confidential information management system which concerns on embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Confidential information management system 2 ... Terminal 3a, 3b ... Storage server 4 ... Communication network 5 ... Service provision system 10 ... Computer system 11 ... Divided data production | generation part 12 ... Original data restoration part 13 ... Random number generation part 14 ... Repartition data Generation unit 15 ... Usage history generation unit 16 ... Communication unit

Claims (14)

A confidential information management system for managing confidential information of users using a secret sharing method,
The secret sharing method is:
A data division method that divides the confidential information into a desired number of divided data based on a desired processing unit bit length, and divides the confidential information into processing unit bit lengths to generate a plurality of original partial data Then, corresponding to each of the plurality of original partial data, a plurality of random part data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the confidential information. Generate each divided partial data to be configured for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate a desired number of divided data,
Generate a plurality of random part data of processing unit bit length from the newly generated random number, and generate re-partitioned partial data for each processing unit bit length by exclusive OR of the respective divided part data and the random part data A data division method for generating the desired number of subdivision data,
Data dividing means for dividing the confidential information into a plurality of divided data using the secret sharing method;
A part of the plurality of divided data is stored in the first storage unit as divided data to be held by the user, and the rest of the plurality of divided data is respectively stored in one or a plurality of second storage units. Data storage means for storing in
Using said secret sharing scheme, among the divided data stored in the second storage unit, a combination of the divided data can be restored predetermined number, and the data re-division means for creating a plurality of re-divided data ,
A part of the plurality of subdivision data is stored in the first storage unit as new division data, and each of the subdivision data stored in the second storage unit is invalidated, and the plurality of subdivision data Data re-storing means for storing the remainder of the data as new divided data in each of the second storage units;
A confidential information management system characterized by comprising:   When using the confidential information, the division data held by the user is acquired, and the division data and a combination of the predetermined number of division data among the division data stored in the second storage unit The confidential information management system according to claim 1, further comprising: a data restoring unit that restores the confidential information using the secret sharing method.   3. The confidential information management system according to claim 2, further comprising usage history storage means for storing the used fact as usage history information when the confidential information is used.   When using the confidential information, among the pieces of divided data stored in the second storage unit, a combination of pieces of divided data obtained by subtracting the number of pieces of divided data held by the user from the predetermined number 2. The confidential information management system according to claim 1, further comprising a divided data transmission unit that transmits the data to a terminal of the user via a communication network.   The data re-dividing means generates divided data held by the user by exclusive OR operation of divided partial data constituting each divided data included in the combination of the predetermined number of divided data. The confidential information management system according to any one of claims 1 to 4, wherein   The secret sharing method performs each re-examination operation by exclusive OR operation between each divided partial data and each new random number partial data corresponding to each random number partial data used for generating each divided partial data. 6. The confidential information management system according to claim 1, wherein the partial data is generated.   The secret sharing method further includes an exclusive OR operation between each of the subdivision partial data and each of the old random number partial data used when generating the subdivision data before each subdivision partial data generation, 7. The confidential information management system according to claim 6, wherein old random number partial data is erased from the subdivision partial data.   The secret according to any one of claims 1 to 7, further comprising transmission means for transmitting the divided data stored in the first storage unit to a terminal of the user via a communication network. Information management system.   9. The confidential information management system according to claim 1, further comprising receiving means for receiving the confidential information from a terminal of the user via a communication network. A confidential information management method for managing confidential information of a user using a secret sharing method performed by a confidential information management system ,
The secret sharing method is:
A data division method that divides the confidential information into a desired number of divided data based on a desired processing unit bit length, and divides the confidential information into processing unit bit lengths to generate a plurality of original partial data Then, corresponding to each of the plurality of original partial data, a plurality of random part data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the confidential information. Generate each divided partial data to be configured for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate a desired number of divided data,
Generate a plurality of random part data of processing unit bit length from the newly generated random number, and generate re-partitioned partial data for each processing unit bit length by exclusive OR of the respective divided part data and the random part data A data division method for generating the desired number of subdivision data,
The confidential information management system includes:
A first storage unit and a second storage unit,
A data dividing step of dividing the confidential information into a plurality of divided data using the secret sharing method;
A portion of the plurality of divided data, together with the user stored in the first storage unit as the divided data to hold, the remaining of the plurality of divided data, one or a plurality of the second memory A data storage step for storing each of the units;
Using said secret sharing scheme, among the divided data stored in the second storage unit, a combination of the divided data can be restored predetermined number, and the data re-division step of creating a plurality of re-divided data ,
Stores in the first storage unit a part of the plurality of re-divided data as new division data, disable the divided data stored in the second storage unit, the plurality of re-division data a data re-storing step of storing in each of said second storage unit the remainder as a new data segment of,
Confidential information management method and performing. A confidential information management program for managing confidential information of users using a secret sharing method,
The secret sharing method is:
A data division method that divides the confidential information into a desired number of divided data based on a desired processing unit bit length, and divides the confidential information into processing unit bit lengths to generate a plurality of original partial data Then, corresponding to each of the plurality of original partial data, a plurality of random part data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the confidential information. Generate each divided partial data to be configured for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate a desired number of divided data,
Generate a plurality of random part data of processing unit bit length from the newly generated random number, and generate re-partitioned partial data for each processing unit bit length by exclusive OR of the respective divided part data and the random part data A data division method for generating the desired number of subdivision data,
Computer
Data dividing means for dividing the confidential information into a plurality of divided data using the secret sharing method;
A part of the plurality of divided data is stored in the first storage unit as divided data to be held by the user, and the rest of the plurality of divided data is respectively stored in one or a plurality of second storage units. Data storage means for storing
Using said secret sharing scheme, the second one of the divided data stored in the storage unit, a combination of the divided data can be restored predetermined number, the data re-division means for creating a plurality of re-divided data, and,
A part of the plurality of subdivision data is stored in the first storage unit as new division data, and each of the subdivision data stored in the second storage unit is invalidated, and the plurality of subdivision data Data re-storing means for storing the remainder of the data as new divided data in each of the second storage units,
As a confidential information management program. The computer,
When using the confidential information, the division data held by the user is acquired, and the division data and a combination of the predetermined number of division data among the division data stored in the second storage unit Data restoring means for restoring the confidential information using the secret sharing method from
12. The confidential information management program according to claim 11, wherein the confidential information management program is made to function as: The computer,
When using the confidential information, among the pieces of divided data stored in the second storage unit, a combination of pieces of divided data obtained by subtracting the number of pieces of divided data held by the user from the predetermined number Divided data transmission means for transmitting the terminal to a terminal of the user via a communication network ,
12. The confidential information management program according to claim 11, wherein the confidential information management program is made to function as: A terminal program for a confidential information management system that uses the confidential information of the user using the divided data transmitted from the confidential information management system according to claim 4,
Terminal computer,
Restoration means the user obtains the divided data held to restore the secret information using the secret sharing scheme from the combination of the divided data the transmission and the divided data and,
Transmitting means for transmitting the restored confidential information to a system providing the service via a communication network ;
Terminal program for confidential information management system to function as

Images