JP5458116B2 - Data distribution device, distributed data conversion device, data restoration device - Google Patents

Description

  The present invention relates to a secret sharing technique.

  Secret sharing is a technology that converts data into a plurality of distributed values and restores the original data by using more than a certain number of distributed values, and makes it impossible to restore the original data from less than a certain number of distributed values. . Assuming that the total number of variance values is N and the minimum number of variance values required for restoration is K (≦ N), there are some schemes in which the values of N and K are not limited.

As a typical scheme for secret sharing, there is a Shamir secret sharing scheme (for example, see Non-Patent Document 1). In this method, p is a prime number, GF (p) is a finite field of order p, and x is a variable such that f (0) = a for the value a∈GF (p) A variance value S _i (a) = (i, f (i)) (i = 1,..., N) of a is obtained from the following expression f (x). Since n ₁ ,..., n _K are different integers between 1 and N, the following relationship is established.

  In addition, several secret calculation (multi-party calculation) methods using secret sharing as an elemental technology have been proposed (see, for example, Non-Patent Document 2). In such a secret calculation method, a distributed value of data held by each subject is sent to another subject, and the intended calculation is executed without revealing the distributed value to the other subject. A variance value of the calculation result is obtained from each subject that has performed the calculation. If K or more of such dispersion values are obtained, the calculation result can be restored, and if not obtained, the calculation result cannot be restored. Non-Patent Document 2 discloses a secret calculation method using a shared value obtained according to the Shamir secret sharing method.

A. Shamir, “How to share a secret,” Commu. ACM 22 (11), pp. 612-613, 1979. M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract),” STOC 1988, pp. 1-10, 1988.

In the Shamir secret sharing scheme, if the data amount of a and its respective distributed values is constant, the total data amount of the distributed values is approximately N times the data amount of a. The total data amount of the variance values required for restoration is approximately K times the data amount of a. Since an increase in the data amount of the variance value leads to an increase in communication time and stored data, it is desirable to suppress the data amount of the variance value as much as possible.
The present invention has been made in view of such a point, and an object thereof is to suppress the data amount of the shared value of the secret sharing scheme.

When distributing data, select K-1 values v (k) (k = 1, ..., K-1) and K-1 values a (k) = P (v (k)) ∈ G (k = 1, ..., K-1), N variance values T _k (α) = v (k) (k = 1, ..., K-1), T _θ (α ) = f (n (θ)) (θ = K, ..., N) is obtained. Where N and K are integers greater than or equal to 2, K ≦ N, G is a set, n (0), n (1), ..., n (N) are different from each other, and the value n F (n (k)) = a (k) (k = 1, ..., K-) for (1), ..., n (K-1) and the value α∈G that is an element of the set G A K−1 order expression satisfying 1) and f (n (0)) = α is f (x).

At the time of data restoration, from K variance values T _λ (α) corresponding to K different λ∈ {1, ..., N}, K different values n (λ) (λ∈ {1,. ., N}) to obtain K values f (n (λ)), and for K values f (n (λ)), F (n (λ)) = f (n (λ) ) Obtain a function value F (n (0)) = α of the K−1 linear expression F (x) that satisfies (λ∈ {1,..., N}).

  In the present invention, it is possible to suppress the data amount of the shared value of the secret sharing scheme.

FIG. 1 is a block diagram illustrating a functional configuration of a secret sharing system. FIG. 2A is a block diagram illustrating the functional configuration of the data distribution device, and FIG. 2B is a block diagram illustrating the functional configuration of the data storage device. FIG. 3A is a block diagram illustrating the functional configuration of the data restoration device, and FIG. 3B is a block diagram illustrating the functional configuration of the distributed data conversion device. 4A is a flowchart for illustrating the processing of the data distribution apparatus, FIG. 4B is a flowchart for illustrating the processing of the distributed data conversion apparatus, and FIG. 4C is for illustrating the processing of the data restoration apparatus. It is a flowchart of. FIG. 5A is a flowchart for illustrating the processing of the data distribution apparatus, FIG. 5B is a flowchart for illustrating the processing of the distributed data conversion apparatus, and FIG. 5C is for illustrating the processing of the data restoration apparatus. It is a flowchart of. FIG. 6 is a block diagram illustrating a functional configuration of the secret sharing system. FIG. 7A is a block diagram illustrating the functional configuration of the data distribution device, and FIG. 7B is a block diagram illustrating the functional configuration of the data storage device. FIG. 8 is a block diagram illustrating a functional configuration of the data restoration device. 9A and 9B are block diagrams illustrating the functional configuration of the distributed data conversion apparatus. FIG. 10 is a block diagram illustrating a functional configuration of the distributed data conversion apparatus. FIG. 11 is a flowchart for illustrating processing of the data distribution apparatus. 12A to 12C are flowcharts for illustrating the processing of the distributed data conversion apparatus. FIG. 13 is a flowchart for illustrating the processing of the data restoration apparatus. FIG. 14 is a flowchart for illustrating processing of the data distribution apparatus. 15A to 15C are flowcharts for illustrating processing of the distributed data conversion apparatus. FIG. 16 is a flowchart for illustrating the processing of the data restoration device. FIG. 17 is a block diagram illustrating a functional configuration of the secret sharing system. 18A is a block diagram illustrating the functional configuration of the data distribution device, FIG. 18B is a block diagram illustrating the functional configuration of the data storage device, and FIG. 18C is a block illustrating the functional configuration of the data restoration device. FIG. FIG. 19A is a flowchart for illustrating the processing of the data distribution apparatus, and FIG. 19B is a flowchart for illustrating the processing of the data restoration apparatus. FIG. 20 is a block diagram illustrating a functional configuration of the distributed data conversion apparatus. FIG. 21A is a flowchart for illustrating the processing of the data distribution apparatus, FIG. 21B is a flowchart for illustrating the processing of the distributed data conversion apparatus, and FIG. 21C is for illustrating the processing of the data restoration apparatus. It is a flowchart of. FIG. 22 is a block diagram illustrating a functional configuration of the data distribution apparatus. FIG. 23 is a flowchart for illustrating processing of the data distribution apparatus. 24A and 24B are flowcharts for illustrating the processing of the distributed data conversion apparatus. FIG. 25 is a flowchart for illustrating processing of the data distribution apparatus.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[First Embodiment]
First, the outline of the first embodiment will be described.
In the first embodiment, N and K are integers of 2 or more, K ≦ N, G is a certain set, and P (x) is a mapping that moves a value corresponding to x to an element of the set G is there. The set G is a set in which operations are defined, and the set G may be arbitrary as long as the following processing can be executed. For example, as in Non-Patent Document 1, the set G is a finite field GF (p). The mapping P (x) outputs elements of the set G with respect to the input “value corresponding to x”. The same “P (x)” corresponds to the same “value corresponding to x”. That is, the map P (x) is a deterministic map in which the outputs are equal if the inputs are equal. “Value corresponding to x” and “P (x)” may or may not correspond one-on-one. The “value corresponding to x” may be the value x itself or a combination value of x and another value. An example of the mapping P (x) is a pseudorandom number generation function that returns elements of the set G using x as a seed. Also, for example, a common key encryption function that outputs a ciphertext belonging to the set G for a fixed plaintext with x as a secret key can be used as P (x). The “mapping” may be a function or an algorithm. K = N may be sufficient and K <N may be sufficient.

The secret sharing system according to the first embodiment includes a data sharing device, a data restoration device, N data storage devices, and K-1 distributed data conversion devices.
The data distribution apparatus of this embodiment selects K−1 values v (k) (k = 1,..., K−1), and K−1 values a (k) = P (v ( k)) ∈G (k = 1, ..., K-1), N variance values T _k (α) = v (k) (k = 1, ..., K-1), T _θ (α) = f (n (θ)) (θ = K,..., N) is obtained. However, n (0), n (1), ..., n (N) are different from each other, and are values n (1), ..., n (K-1) and elements of the set G For a value α∈G, a K-1 order equation satisfying f (n (k)) = a (k) (k = 1, ..., K-1) and f (n (0)) = α is f (x). N distribution values T _i (α) (i = 1,..., N) obtained by the data distribution device are provided and stored in each of the N data storage devices, for example.

The data restoration apparatus according to the present embodiment uses K different values n (λ) (λ∈ {) from variance values T _λ (α) corresponding to K different λ∈ {1,..., N}. K values f (n (λ)) corresponding to 1, ..., N}) are obtained. For example, the data restoration apparatus according to the present embodiment has K variance values T _λ (α) corresponding to K different λ∈ {1,..., N} and a variance value T _κ (α) = v ( If κ) (κ∈ {1,..., K−1}) is included, let f (n (κ)) = P (v (κ)). The data restoration apparatus satisfies K satisfying F (n (λ)) = f (n (λ)) (λ∈ {1,..., N}) for K values f (n (λ)). -The function value F (n (0)) = α of the linear expression F (x) is obtained.

Each of the K-1 distributed data conversion apparatuses according to the present embodiment includes a variance value T _κ (α) = v (κ) (κ∈ {1,..., K-1}) to a transformed variance value S _κ ( α) = P (v (κ)) is obtained. The transform dispersion value S _k (α) (k = 1, ..., K-1) obtained in this way and the dispersion value T _θ (α) = f (n (θ)) (θ = K,. .., N) are used as input values for the secret calculation. A specific example of the secret calculation is a secret calculation based on Shamir secret sharing disclosed in Non-Patent Document 2, for example. The secret calculation may be a unary operation or a multinomial operation.

Preferably, in this embodiment, the total data amount of values v (k) (k = 1,..., K−1) is smaller than the total data amount of K−1 elements of the set G. Preferably, in this embodiment, the data amount of any value v (k) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 1, the secret sharing system 1 according to the first embodiment includes a data sharing device 110, N data storage devices 120-i (i = 1,..., N), and K−1 pieces. The distributed data conversion device 140-k (k = 1,..., K-1) and the data restoration device 130 are included. The data distribution device 110 can provide information to the N data storage devices 120-i (i = 1,..., N) via a network or a portable recording medium. Each of the N data storage devices 120-i (i = 1,..., N) is connected to K−1 distributed data conversion devices 140-k (k) via a network or a portable recording medium. = 1, ..., K-1). Further, each of the N data storage devices 120-i (i = 1,..., N) can provide information to the data restoration device 130 via a network or a portable recording medium. It is.

  As illustrated in FIG. 2A, the data distribution apparatus 110 according to the present exemplary embodiment includes an input unit 111, an output unit 112, a memory 113, a control unit 114, a selection unit 115, a conversion unit 116, and a distributed value generation unit 117. The data distribution apparatus 110 according to this embodiment executes each process under the control of the control unit 114. Data input to the input unit 111 and data obtained in each process are stored in the memory 113, and the data stored in the memory 113 is read as necessary and used for other processes.

  As illustrated in FIG. 2B, the data storage device 120-λ (λε {1,..., N}) includes an input unit 121-λ, an output unit 122-λ, memories 123a-λ, and a storage unit 123b-. λ, control unit 124-λ, and secret calculation unit 127-λ. The data storage device 120-λ of this embodiment executes each process under the control of the control unit 124-λ. Data input to the input unit 121-λ and data obtained by each process are stored in the memory 123a-λ and the storage unit 123b-λ, and data stored in the memory 123a-λ and the storage unit 123b-λ are necessary. Is read out and used for other processing.

  As illustrated in FIG. 3A, the data restoration device 130 according to the present exemplary embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 134, a conversion unit 135, and a restoration unit 136. The data restoration apparatus 130 according to this embodiment executes each process under the control of the control unit 134. Data input to the input unit 131 and data obtained in each process are stored in the memory 133, and the data stored in the memory 133 is read as necessary and used for other processes.

  As illustrated in FIG. 3B, the distributed data conversion apparatus 140-κ (κε {1,..., K-1}) of this embodiment includes an input unit 141-κ, an output unit 142-κ, and a memory 143a-. κ, storage unit 143b-κ, control unit 144-κ, and transform variance value generation unit 146-κ. The distributed data conversion apparatus 140-κ of this embodiment executes each process under the control of the control unit 144-κ. Data input to the input unit 141-κ and data obtained by each process are stored in the memory 143a-κ and the storage unit 143b-κ, and data stored in the memory 143a-κ and the storage unit 143b-κ are necessary. Is read out and used for other processing.

<Data distribution processing>
As illustrated in FIG. 4A, the value αεG that is secretly shared is input to the input unit 111 of the data distribution apparatus 110 (FIG. 2A) (step S111). Examples of the value α are a moving image file, an audio file, a text file, a table file, and the like. The data amount of the value α, that is, the data amount of the elements of the set G is, for example, 1 megabyte or more.

  The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112). The selection unit 115 may select K−1 values v (k) (k = 1,..., K−1) randomly at a time, or is generated in advance and stored in the memory. K−1 values v (k) (k = 1,..., K−1) may be selected from a plurality of values according to a predetermined rule. For example, the data amount of each of the selected values v (k) (k = 1,..., K−1) is preferably smaller than the data amount of the elements (one element) of the set G. In consideration of safety, the value v (k) is a value that makes it difficult to specify the value v (k) from the value a (k) or P (x) generated from the value v (k) ( In consideration of attacks by exhaustive search and the performance of current computers, the value v (k) is preferably a random number of about 80 bits or more.

  Values v (k) (k = 1,..., K−1) are input to the conversion unit 116. The conversion unit 116 converts K−1 values a (k) = P (v (k)) ∈G (k = k) from the input values v (k) (k = 1,..., K−1). 1, ..., K-1) and outputs the K-1 values a (k) = P (v (k)) (k = 1, ..., K-1) ( Step S113). When P (x) is a pseudorandom number generation function, the value a (k) is a pseudorandom number.

The value α input to the input unit 111 and the K−1 values a (k) = P (v (k)) (k = 1,..., K−1) output from the conversion unit 116 are as follows. The value is input to the variance value generation unit 117. The variance value generation unit 117 uses these to generate N variance values T _k (α) = v (k) (k = 1,..., K−1), T _θ (α) = f (n ( θ)) (θ = K,..., N) is generated, and N dispersion values T _i (α) (i = 1,..., N) are output. Where f (x) is f (n (k)) = a (k) (k) for the values n (1), ..., n (K-1) and the value α∈G that is an element of the set G. = 1,..., K−1) and f (n (0)) = α. n (0), n (1),..., n (N) are different from each other (step S114). The variance value generation unit 117, for example, is K−1 order satisfying f (n (k)) = a (k) (k = 1,..., K−1) and f (n (0)) = α. T _θ (α is obtained by calculating each coefficient of the equation f (x) and substituting n (θ) (θ = K, ..., N) into the K-1 order equation f (x) specified by them. ) = f (n (θ)) (θ = K,..., N) is generated. n (0), n (1),..., n (N) may be made constant by the variance value generation unit 117, or may be a predetermined constant. Examples of n (0), n (1), ..., n (N) are different integers, for example n (0), n (1), ..., n (N) are different 0 It is an integer of N or less. As a specific example, n (0) = 0, n (i) = i (i = 1,..., N). In this embodiment, the value of i can be specified from the variance value T _i (α), and n (0), n (1),..., N (N) are predetermined constants corresponding to i. The case where n (i) can be specified will be exemplified.

N variance values T _i (α) (i = 1,..., N) are input to the output unit 112, and the output unit 112 outputs N variance values T _i (α) (i = 1,... ., N) is output (step S115). Each of the output T _i (α) (i = 1,..., N) is provided to each of the data storage devices 120-i (i = 1,..., N). For example, the dispersion value T _λ (α) (λε {1,..., N}) is transmitted to the corresponding data storage device 120-λ (FIG. 2B) via a network or the like. The variance value T _λ (α) provided to the data storage device 120-λ is input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Distributed data conversion processing>
A distributed data conversion process executed by the distributed data conversion device 140-κ (κε {1,..., K-1}) will be described with reference to FIG. 4B.
The dispersion value T _κ (α) = v (κ) stored in the storage unit 123b-κ of the data storage device 120-κ (κ∈ {1,..., K-1}) is output to the output unit 122-κ. The output unit 122-κ outputs the dispersion value T _κ (α) = v (κ). The output variance value T _κ (α) = v (κ) is transmitted to the corresponding distributed data conversion device 140-κ (FIG. 3B) via a network or the like. The distributed value T _κ (α) provided to the distributed data converter 140-κ is input to the input unit 141-κ and stored in the storage unit 143b-κ (step S141-κ).

The transformed variance value generation unit 146-κ converts the transformed variance value S from the variance value T _κ (α) = v (κ) (κ∈ {1,..., K-1}) read from the storage unit 143b-κ. _κ (α) = P (v (κ)) is generated, and the transformed variance value S _κ (α) is output (step S142-κ). The transformed variance value S _κ (α) is input to the output unit 142-κ, and the output unit 142-κ outputs the transformed variance value S _κ (α) (step S143-κ). The output transformed variance value S _κ (α) is transmitted to the corresponding data storage device 120-κ (FIG. 2B) via a network or the like. The transformed variance value S _κ (α) is input to the input unit 121-κ of the corresponding data storage device 120-κ and stored in the storage unit 123b-κ.

<Distributed value provision / secret calculation>
The data storage devices 120-λ (FIG. 2B) corresponding to K different λ∈ {1,..., N} output the variance value T _λ (α) stored in the storage unit 123b-λ. Alternatively, a secret calculation is performed and a variance value E _λ representing the result is output.

When the variance value T _λ (α) is output, the output unit 122-λ of the data storage device 120-λ outputs the variance value T _λ (α) read from the storage unit 123b-λ. In this case, all the data storage devices 120-λ corresponding to K different λ∈ {1,..., N} output the variance value T _λ (α). The output K dispersion values T _λ (α) are sent to the data restoration device 130 via a network or the like.

When the variance value E _λ is output, the secret calculation unit 127-λ of the data storage device 120-λ may use the variance value T _λ (α) read from the storage unit 123b-λ or the transformed variance value S _λ (α ) Is used to execute a secret calculation (for example, the secret calculation of Non-Patent Document 2), and the output unit 122-λ outputs a variance value E _λ representing the calculation result. Whether secret value T _λ (α) or transform variance value S _λ (α) is used for secret computation is λ∈ {1, ..., K-1} or λ∈ {K,. .., N}. When λ∈ {1, ..., K-1}, a secret calculation is performed using the transformation variance S _λ (α), and when λ∈ {K, ..., N} The secret calculation is performed using the variance value T _λ (α). In this case, all the data storage devices 120-λ corresponding to K different λε {1,..., N} perform secret calculation and output the variance value E _λ . The output K dispersion values E _λ are sent to the data restoration device 130 via a network or the like.

<Data restoration processing>
As illustrated in FIG. 4C, the input unit 131 of the data restoration device 130 (FIG. 3A) has K variance values T _λ (corresponding to K different λ∈ {1,..., N}. α) or K dispersion values E _λ are input (step S131). The control unit 134 determines whether K variance values T _λ (α) have been input or K variance values E _λ have been input (step S132).

If it is determined in step S132 that K dispersion values T _λ (α) have been input, these K dispersion values T _λ (α) are input to the conversion unit 135. The conversion unit 135 _calculates K different values n (λ) (λ∈ {1, N} from the variance values T _λ (α) corresponding to these K different λ∈ {1,..., N}. .., N}) are generated and K values f (n (λ)) are output (step S133). For example, the conversion unit 135 _{calculates the} variance value T _κ (α) = v (κ) (κ∈ {1,..., K-1}) included in the K variance values T _λ (α). f (n (κ)) = P (v (κ)) is calculated and the value f (n (κ)) is output, and the variance value T _ζ (α included in the K variance values T _λ (α) ) The value f (n (ζ)) = T _ζ (α) is output for (ζ∈ {K,..., N}).

値αは出力部１３２に入力され、そこから出力される（ステップＳ１３５）。ただし上記は関数Fの補間であり、集合Gによっては正しくαが復元できない場合があるので、集合Gに応じて適切にαの導出式を用いる必要がある。なおG=GF(p)であればラグランジュ補間法により正しく復元できる。 K values f (n (λ)) are input to the restoration unit 136. The restoration unit 136 satisfies F (n (λ)) = f (n (λ)) (λ∈ {1,..., N}) for these K values f (n (λ)). The function value F (n (0)) = α of the K−1 linear expression F (x) is generated, and the value α obtained thereby is output (step S134). From the value f (n (λ)) corresponding to K different values n (λ), the K−1 linear expression F (x) is uniquely determined, and the value α is also uniquely determined. There is no limitation on the calculation method for obtaining the function value F (n (0)) = α from the K values f (n (λ)). One of the calculation methods is a method using Lagrange interpolation. For example, n (0) = 0, n (1), ..., n (N) are different integers from 1 to N, and K different values n (λ) are n (1 ), ..., n (K), the function value F (0) = α can be calculated as follows.

The value α is input to and output from the output unit 132 (step S135). However, the above is interpolation of the function F, and α may not be correctly restored depending on the set G. Therefore, it is necessary to appropriately use a derivation formula of α according to the set G. If G = GF (p), it can be correctly restored by Lagrange interpolation.

On the other hand, when it is determined in step S <b> 132 that the variance value E _λ has been input, K variance values E _λ are input to the restoration unit 136. The restoration unit 136 restores the calculation result ε from the K variance values E _λ according to a predetermined restoration method (for example, the restoration method of Non-Patent Document 2), and outputs the calculation result ε (step S136). The calculation result ε is input to the output unit 132 and is output therefrom (step S137).

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. That is, of the N dispersion values T _i (α) (i = 1, ..., N) of the present embodiment, K-1 dispersion values T _k (α) (k = 1, ..., K−1) is the variance value T _k (α) = v (k) (k = 1,..., K−1). On the other hand, the data amount of the distributed value obtained by secretly sharing the value αεG according to the Shamir secret sharing scheme is equal to or larger than the data amount of the elements (one element) of the set G. Therefore, the data amount of each variance value T _k (α) = v (k) is smaller than the variance value obtained by secretly sharing the value α∈G according to the Shamir secret sharing scheme. How much the data amount of the variance value can be reduced depends on the difference between the data amount of v (k) and the data amount of elements of the set G. For example, if the total data amount of values v (k) (k = 1, ..., K-1) is smaller than the total data amount of K-1 elements of the set G, the variance of this embodiment The total data amount of the value is smaller than the total data amount of the distributed value of the conventional secret sharing scheme. The total data amount of the value v (k) (k = 1, ..., K-1) is smaller than the total data amount of the K-1 elements of the set G, for example, the value v (k) Or the case where the data amount of each element of the set G is smaller than the data amount of the elements of the set G. Furthermore, if the data amount of each value v (k) is negligibly small relative to the data amount of the elements of the set G, N variance values T _i (α) (i = 1, ..., The data amount of K-1 variance values T _k (α) = v (k) (k = 1, ..., K-1) out of N) is negligible, and N variance values T _i (α ) The total data amount of (i = 1,..., N) is approximately the same as the total data amount of (N−K + 1) elements of the set G.

  Furthermore, the distributed data conversion process in the distributed data conversion device generates a converted distributed value that can be used as an input for the secret calculation without restoring the original value α from the distributed value obtained by the data distribution device. It is also possible to execute a secret calculation.

In this embodiment, the variance value generation unit 117 has N variance values T _i (α) (i = 1,..., K), T _θ (α) = f (n (θ)) (θ = K, ..., N). However, the variance value generation unit is [n (k), T _k (α) = v (k)] (k = 1, ..., K-1), [n (θ), T _θ (α) = f (n (θ))] (θ = K, ..., N) may be output. In this case, the distributed data conversion device generates and outputs [n (k), S _k (α) = P (v (k))] from [n (k), T _k (α)], and restores the data. The device is [n (k), T _k (α)] (k = 1, ..., K-1), [n (θ), T _θ (α)] (θ = K, ..., N ) May be restored from any K [n (λ), T _λ (α)] (λ∈ {1,..., N}).

Alternatively, the variance value generation unit 117 outputs [k, n (k), T _k (α) = v (k)] (k = 1,..., K−1), [θ, n (θ), T _θ (α) = f (n (θ))] (θ = K,..., N) may be output. In this case, the distributed data converter generates [k, n (k), S _k (α) = P (v (k))] from [k, n (k), T _k (α)] and outputs it And the data restoration device [k, n (k), T _k (α)] (k = 1, ..., K-1), [θ, n (θ), T _θ (α)] (θ = K, ..., N) Even if the value α is restored from K [θ, n (λ), T _λ (α)] (λ∈ {1, ..., N}) Good.

Alternatively, the variance value generation unit 117 outputs [k, T _k (α) = v (k)] (k = 1,..., K−1), [θ, T _θ (α) = f (n ( θ))] (θ = K,..., N) may be output. In this case, the distributed data conversion device generates and outputs [k, S _k (α) = P (v (k))] from [k, T _k (α)], and the data restoration device outputs [k, T _{k (α)] (k =} 1, ..., K-1), [θ, T θ (α)] (θ = K, ..., N) of any of the K _[λ T λ ( α)] The value α may be restored from (λ∈ {1,..., N}). In addition, the dispersion value generation unit 117 may output other additional information as a dispersion value in addition to T _i (α).

The data amount of i, n (i) (i = 1,..., N) is smaller than the data amount of the elements of the set G. Preferably, the data amount of i, n (i) (i = 1,..., N) is negligible with respect to the data amount of the elements of the set G (for example, (i, n (i) Respective data amount) / (data amount of elements of set G) ≦ 80/10 ⁶ ).

[Second Embodiment]
Next, a second embodiment of the present invention will be described. This embodiment is a modification of the first embodiment, and further reduces the data amount of the distributed value by diverting the same value v (k) to a plurality of secret sharing. Below, it demonstrates centering on difference with 1st Embodiment. The same reference numerals as those in the first embodiment are used for the processing units and steps common to the first embodiment, and the description will be simplified.
In the second embodiment, N, K, and R are integers of 2 or more, K ≦ N, G is a certain set, and P (x) moves a value corresponding to x to an element of the set G It is a mapping. Specific examples of the set G and mapping P (x) in the present embodiment are the same as the specific examples of the set G and mapping P (x) described in the first embodiment. K = N may be sufficient and K <N may be sufficient.

The secret sharing system according to the second embodiment includes a data sharing device, a data restoration device, N data storage devices, and K-1 distributed data conversion devices.
The data distribution apparatus of this embodiment selects K−1 values v (k) (k = 1,..., K−1), and sets values corresponding to r and value v (k) to z ( r, v (k)) and K-1 values for each r a _r (k) = P (z (r, v (k))) (r = 1, ..., R, k = 1, ..., K-1) and R T _k (α ₁ ), ..., T _k (α for each k (k = 1, ..., K-1) _{Let R (} ) be at least one v (k), T _θ (α _r ) = f _r (n _r (θ)) (θ = K, ..., N), and N variances for each r Get the values T _i (α _r ) (i = 1, ..., N, r = 1, ..., R). Where f _r (x) is f _r (n _r (k)) for the values n _r (1), ..., n _r (K-1) and the value α _r ∈G that is an element of the set G. _{= a r (k) (k} = 1, ..., K-1) and _{f r (n r (0)} ) = a K-1 order equation that satisfies alpha _r. The values n _r (0), n _r (1),..., N _r (N) corresponding to the same r are different from each other. The same “z (r, v (k))” corresponds to the same “combination of r and v (k)”. z (r, v (k)) and “combination of r and v (k) (r, v (k))” may or may not correspond one-to-one.

The data restoration apparatus according to the present embodiment is configured such that for each of r (r = 1,..., R), K dispersion values T _λ corresponding to K different λ∈ {1,. From (α _r ), values f _r (n _r (λ)) corresponding to K different values n _r (λ) (λ∈ {1, ..., N}) are obtained, and r (r = 1, ..., R), for each f _r (n _r (λ)), F _r (n _r (λ)) = f _r (n _r (λ)) (λ∈ {1, ..., N}) to obtain a function value F _r (n _r (0)) = α _r of the K−1 linear expression F _r (x). For example, the data restoration apparatus according to the present embodiment includes k variance values T _λ (α _r ) corresponding to K different λ∈ {1,..., N} to v (κ) (κ∈ {1 , ..., K-1}), let f _r (n _r (κ)) = P (z (r, v (κ))) (r = 1, ..., R) .

Each of the distributed data converters has a distributed value T _κ (α _{r ′} ) = v (κ) (κ∈ {1, ..., K-1}, r′∈ {1, ..., R}) To obtain a transformed dispersion value S _κ (α _r ) = P (z (r, v (κ))). The transform variance value S _κ (α _r ) thus obtained is used as an input value for secret calculation. A specific example of the secret calculation is a secret calculation based on Shamir secret sharing disclosed in Non-Patent Document 2, for example. The secret calculation may be a unary operation or a multinomial operation.

Preferably, in this embodiment, the total data amount of values v (k) (k = 1,..., K−1) is smaller than the total data amount of K−1 elements of the set G. Preferably, in this embodiment, the data amount of any value v (k) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 1, the secret sharing system 2 of the second embodiment includes a data sharing device 210, N data storage devices 220-i (i = 1,..., N), K−1 pieces. The distributed data converter 240-k (k = 1,..., K-1) and the data restoration device 230 are included. The data distribution device 210 can provide information to the N data storage devices 220-i (i = 1,..., N) via a network or a portable recording medium. Each of the N data storage devices 220-i (i = 1,..., N) is connected to K−1 distributed data conversion devices 240-k (k) via a network or a portable recording medium. = 1, ..., K-1). Further, each of the N data storage devices 220-i (i = 1,..., N) can provide information to the data restoration device 230 via a network or a portable recording medium. It is.

  As illustrated in FIG. 2A, the data distribution apparatus 210 according to the present exemplary embodiment includes an input unit 111, a division unit 211, an output unit 112, a memory 113, a control unit 214, a selection unit 115, a conversion unit 216, and a distributed value generation unit 217. Have The data distribution apparatus 210 according to this embodiment executes each process under the control of the control unit 214.

  As illustrated in FIG. 2B, the data storage device 220-λ (λε {1,..., N}) includes an input unit 121-λ, an output unit 122-λ, a memory 123a-λ, and a storage unit 123b-. λ, control unit 224-λ, and secret calculation unit 227-λ. The data storage device 220-λ of this embodiment executes each process under the control of the control unit 224-λ.

  As illustrated in FIG. 3A, the data restoration device 230 according to this embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 234, a conversion unit 235, a restoration unit 236, and a combining unit 237. The data restoration device 230 according to this embodiment executes each process under the control of the control unit 234.

  As illustrated in FIG. 3B, the distributed data conversion apparatus 240-κ (κε {1,..., K-1}) of this embodiment includes an input unit 141-κ, an output unit 142-κ, and a memory 143a-. κ, storage unit 143b-κ, control unit 244-κ, and transform variance value generation unit 246-κ. The distributed data converter 240-κ of this embodiment executes each process under the control of the control unit 244-κ.

<Data distribution processing>
As illustrated in FIG. 5A, a secret value α is input to the input unit 111 of the data distribution device 210 (FIG. 2A) (step S111). The value α is input to the dividing unit 211. Dividing unit 211, R number of values alpha _r ∈G value alpha is an element of the set G (r = 1, ..., R) is divided into, R number of values α _{r (r} = 1, .. ., R) is output (step S211). For example, the dividing unit 211 performs division so that the bit combination value of the R values α _r (r = 1,..., R) becomes the value α.

  The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112).

Values v (k) (k = 1,..., K−1) are input to the conversion unit 216. The converting unit 216 sets z (r, v (k)) as a value corresponding to r and the value v (k), and K−1 values a _r (k) = P (z) for each of _r. (r, v (k))) (r = 1, ..., R, k = 1, ..., K-1) and generates (K-1) x R values a _r ( k) = P (z (r, v (k))) (r = 1,..., R, k = 1,..., K-1) is output (step S213). When P (x) is a pseudorandom number generation function, the value a _r (k) is a pseudorandom number.

R values α _r (r = 1,..., R) output from the dividing unit 211 and (K−1) × R values a _r (k) = P ( z (r, v (k))) (r = 1,..., R, k = 1,..., K−1) is input to the variance value generation unit 217. The variance value generation unit 217 converts at least one of _R T _k (α ₁ ),..., T _k (α _R ) to v (k = 1,..., K−1), v (k), T _θ (α _r ) = f _r (n _r (θ)) (θ = K, ..., N), and N dispersion values T _i (α _r ) ( i = 1, ..., N, r = 1, ..., R). Where f _r (x) is f _r (n _r (k)) for the values n _r (1), ..., n _r (K-1) and the value α _r ∈G that is an element of the set G. _{= a r (k) (k} = 1, ..., K-1) and _{f r (n r (0)} ) = a K-1 order equation that satisfies alpha _r. The values n _r (0), n _r (1),..., N _r (N) corresponding to the same r are different from each other (step S214). For example, the variance value generation unit 217 calculates f _r (n _r (k)) = a _r (k) (k = 1,..., K−1) and f _r (n _r (0)) = α _r obtains the coefficients of a met K-1 linear equation f _r (x), are identified by their K-1 linear equation f _r (x) in _{n r (θ) (θ =} K, ..., n) Is substituted to generate T _θ (α _r ) = f _r (n _r (θ)) (θ = K,..., N). F _r (x) corresponding to different r may be different or the same. n _r (0), n _r (1),..., n _r (N) may be made constant by the variance value generation unit 217 or may be a predetermined constant. In this embodiment, the values of i and r can be specified from the variance value T _i (α _r ), and n _r (0), n _r (1), ..., n _r (N) are predetermined constants. An example is given. N _r (0) corresponding to different r may be different or the same. N _r (i) corresponding to different r may be different or the same. Examples of n _r (0), n _r (1),..., n _r (N) are different integers, for example, different integers of 1 to N. As a specific example, n _r (0) = 0, n _r (i) = i (i = 1,..., N). Also, all of R T _k (α ₁ ), ..., T _k (α _R ) may be v (k), or R T _k (α ₁ ), ..., Only one of T _k (α _R ) may be v (k). Of T _k (α ₁ ),..., T _k (α _R ), those that are not v (k) may be null values or parameters such as r and R. An example of T _k (α ₁ ), ..., T _k (α _R ) is T _k (α ₁ ) = v (k), T _k (α ₂ ) = ... = T _k (α _R ) = φ. However, φ indicates a null value.

R × N variance values T _i (α _r ) (i = 1, ..., N, r = 1, ..., R) are input to the output unit 112, and the output unit 112 has N variances. The values T _i (α _r ) (i = 1,..., N, r = 1,..., R) are output (step S215). Each of the output variance values T _i (α _r ) (i = 1,..., N, r = 1,..., R) corresponds to the data storage device 220-i (i = 1,. ), N). For example, the variance value T _λ (α _r ) (λ∈ {1,..., N}, r = 1,. (FIG. 2B). The dispersion values T _λ (α _r ) (r = 1,..., R) provided to the data storage device 220-λ are input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Distributed data conversion processing>
The distributed data conversion process executed by the distributed data converter 240-κ (κε {1,..., K-1}) will be described with reference to FIG. 5B.
The variance T _κ (α _r ) (r = 1,..., R) stored in the storage unit 123b-κ of the data storage device 220-κ (κ∈ {1,..., K−1}). Is sent to the output unit 122-κ, and the output unit 122-κ outputs the dispersion value T _κ (α _r ) (r = 1,..., R). The output distributed value T _κ (α _r ) (r = 1,..., R) is transmitted via a network or the like to the corresponding distributed data converter 240-κ (κ∈ {1,. K-1}) (FIG. 3B). The distributed values T _κ (α _r ) (r = 1,..., R) provided to the distributed data converter 240-κ are input to the input unit 141-κ and stored in the storage unit 143b-κ ( Step S241-κ).

The transformed variance value generation unit 246-κ is the variance value T _κ (α _{r ′} ) = v (κ) (κ∈ {1,..., K−) that is v (κ) read from the storage unit 143b-κ. 1}, r′∈ {1, ..., R}) to generate a transformed variance value S _κ (α _r ) = P (z (r, v (κ))), and the transformed variance value S _κ ( α _r ) is output (step S242-κ). The output transform variance value S _κ (α _r ) (r = 1, ..., R) is sent to the corresponding data storage device 220-κ (r = 1, ..., R) via a network or the like. ) (FIG. 2B). The transformed variance value S _κ (α _r ) (r = 1,..., R) is input to the input unit 121-κ of the corresponding data storage device 220-κ and stored in the storage unit 123b-κ.

<Distributed value provision / secret calculation>
The data storage devices 220-λ (FIG. 2B) corresponding to the K different λ∈ {1,..., N} are distributed values T _λ (α _r ) (r = 1,..., R), or a secret calculation is performed and a variance value E _{λ, r} (r = 1,..., R) representing the result is output.

When the dispersion value T _λ (α _r ) (r = 1,..., R) is output, the output unit 122-λ of the data storage device 220-λ is read from the storage unit 123b-λ. Outputs the value T _λ (α _r ) (r = 1, ..., R). In this case, all the data storage devices 220-λ corresponding to K different λ∈ {1,..., N} are distributed values T _λ (α _r ) (r = 1,..., R). Is output. The output K × R variance values T _λ (α _r ) (r = 1,..., R) are sent to the data restoration device 230 via a network or the like.

When the variance value E _{λ, r} (r = 1,..., R) is output, the secret calculation unit 227-λ of the data storage device 220-λ reads the variance value read from the storage unit 123b-λ. Using T _λ (α _r ) (r = 1, ..., R) or transformation variance S _λ (α _r ) (r = 1, ..., R), r (r = 1, ... , R), a secret calculation is performed, and the output unit 122-λ outputs a variance value E _{λ, r} representing the calculation result. Whether the variance T _λ (α _r ) or the transformation variance S _λ (α _r ) is used for the secret calculation is λ∈ {1, ..., K-1} or λ∈ {K , ..., N}. When λ∈ {1, ..., K-1}, a secret calculation is performed using the transformation variance S _λ (α _r ), and when λ∈ {K, ..., N} Is subjected to a secret calculation using the variance value T _λ (α _r ). In this case, all the data storage devices 220-λ corresponding to K different λ∈ {1,..., N} perform secret calculation and output the distributed value E _{λ, r} . The output K × R variance values E _{λ, r} are sent to the data restoration device 230 via a network or the like.

<Data restoration processing>
As illustrated in FIG. 5C, the input unit 131 of the data restoration device 230 (FIG. 3A) has a variance value T _λ (α _r ) corresponding to K different λ∈ {1,..., N}. (r = 1,..., R) or the dispersion value E _{λ, r} (r = 1,..., R) is input (step S231). The control unit 234 determines whether the variance value T _λ (α) is input or the variance value E _λ is input (step S232).

If it is determined in step S 232 that the variance value T _λ (α _r ) has been input, these K × R variance values T _λ (α _r ) are input to the conversion unit 235. For each of r (r = 1,..., R), the conversion unit 235 uses K dispersion values T _λ (α _r corresponding to K different λ∈ {1,..., N}. ) To generate values f _r (n _r (λ)) corresponding to K different values n _r (λ) (λ∈ {1, ..., N}), and K × R values f _r (n _r (λ)) (λ∈ {1,..., N}, r = 1,..., R) is output (step S233). For example, the converting unit 235 converts T _κ (α _{r ′} ) = v (κ) into K variance values T _λ (α _r ) corresponding to K different λ∈ {1,..., N}. If (κ∈ {1, ..., K-1}, r'∈ {1, ..., R}) is included, f _r (n _r (κ)) = P (z (r, v (kappa))) and outputs the calculated and the value _{f r (n r (κ)} ), said K number of variance T λ _{(α r)} variance T _zeta including the (α _r) (ζ∈ {K , ..., N}), the value f _r (n _r (ζ)) = T _ζ (α _r ) is output.

K × R values f _r (n _r (λ)) (λ∈ {1,..., N}, r = 1,..., R) are input to the restoration unit 236. For each of r (r = 1,..., R), the restoration unit 236 performs F _r (n _r (λ)) = f _r (n _r for the value f _r (n _r (λ)). (λ)) Generate a function value F _r (n _r (0)) = α _r of the K-1 order expression F _r (x) that satisfies (λ∈ {1, ..., N}), and thereby The obtained value α _r is output (step S234). For each of r (r = 1, ..., R), from a value f _r (n _r (λ)) corresponding to K different values n _r (λ), a K-1 order expression F _r ( x) is uniquely determined, and the value α _r is also uniquely determined. There is no limitation on the calculation method for obtaining the function value F (n _r (0)) = α _r from the value f _r (n _r (λ)). For example, n _r (0) = 0, n _r (1), ..., n _r (N) are different integers from 1 to N and K different values n _r (λ) , N _r (1), ..., n _r (K), the function value F (0) = α _r can be calculated as follows (Lagrange interpolation method).

The values α _r (r = 0,..., R−1) are input to the coupling unit 237. The combining unit 237 combines the R values α _r (r = 0,..., R−1) to generate a value αεG, and outputs the value α (step S235). For example, the combining unit 237 outputs the bit combination value of α _r (r = 0,..., R−1) as a value α. The value α is input to and output from the output unit 132 (step S135).

On the other hand, in step S232, the dispersion value E _lambda, when it is determined that _r is input, the dispersion value E _{lambda, r} is inputted to the restoration unit 236. The restoration unit 236 restores the calculation result ε _r (r = 0,..., R−1) from the K dispersion values E _{λ, r} according to a predetermined restoration method (for example, the restoration method of Non-Patent Document 2). The calculation result ε _r (r = 0,..., R−1) is output (step S236). The calculation result ε _r (r = 0,..., R−1) is input to the coupling unit 237. The combining unit 237 combines the R values ε _r (r = 0,..., R−1) to generate a value εεG, and outputs the value ε (step S237). For example, the combining unit 237 outputs a bit combination value of ε _r (r = 0,..., R−1) as a value ε. The value ε is input to and output from the output unit 132 (step S137).

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. That is, among the variance values T _i (α _r ) (i = 1, ..., N) of this embodiment, the variance values T _k (α _r ) (k = 1, ..., K-1) are v (k) (k = 1, ..., K-1). On the other hand, the data amount of the distributed value obtained by secret sharing the value α _r εG according to the Shamir secret sharing scheme is equal to or larger than the data amount of the elements (one element) of the set G. Therefore, the data amount of each variance value T _k (α) = v (k) is smaller than the variance value obtained by secretly sharing the value α∈G according to the Shamir secret sharing scheme. How much the data amount of the variance value can be reduced depends on the difference between the data amount of v (k) and the data amount of elements of the set G. For example, if the total data amount of values v (k) (k = 1, ..., K-1) is smaller than the total data amount of K-1 elements of the set G, the variance of this embodiment The total data amount of the value is smaller than the total data amount of the distributed value of the conventional secret sharing scheme. The total data amount of the value v (k) (k = 1, ..., K-1) is smaller than the total data amount of the K-1 elements of the set G, for example, the value v (k) Or the case where the data amount of each element of the set G is smaller than the data amount of the elements of the set G. Furthermore, if the data amount of each value v (k) is negligibly small with respect to the data amount of the elements of the set G, N distributed values T _i (α _r ) (i = 1, ... , N), the data amount of the variance value T _k (α _r ) = v (k) (k = 1, ..., K-1) can be ignored, and the variance value T _i (α _r ) (i = 1 ,..., N, r = 1,..., R) is approximately the same as the total data amount of R × (N−K + 1) elements of the set G. On the other hand, the total data amount of the distributed value obtained by secret sharing the value α _r (r = 1, ..., R) according to the Shamir secret sharing scheme is the total data amount of R × N elements of the set G. The same level. Therefore, in this case, the total data amount of the variance values T _i (α _r ) (i = 1, ..., N, r = 1, ..., R) of this embodiment is the variance in the Shamir secret sharing scheme. It is (N-K + 1) / N times the total amount of data. Since N ≧ K, the total data amount of the variance values T _i (α _r ) (i = 1, ..., N, r = 1, ..., R) in this case is the Shamir secret It is smaller than the total data amount of the distributed values in the distribution method.

Further, the distributed data conversion processing in the distributed data conversion device can be used to obtain a converted distributed value that can be used as an input for the secret calculation without restoring the original value α _r from the distributed value obtained by the data distribution device. It can also generate and perform secret computations.

In this embodiment, the variance value generation unit 217 uses the variance values T _k (α _r ) (k = 1,..., K−1, r = 1,..., R), T _θ (α _r ) = f _r (n _r (θ)) (θ = K, ..., N, r = 1, ..., R). However, the variance generator generates [n _r (k), T _k (α _r )] (k = 1, ..., K-1, r = 1, ..., R), [n _r ( θ), T _θ (α _r )] (θ = K,..., N, r = 1,..., R) may be output. In this case, the distributed data converter generates and outputs [n _r (k), S _k (α _r )] from [n _r (k), T _k (α _r )], and the data restoration device [n _r (k), T _k (α _r )] (k = 1, ..., K-1), [n _r (θ), T _θ (α)] (θ = K, ..., N) The value α _r may be restored from any K [n _r (λ), T _λ (α _r )] (λ∈ {1,..., N}).

Alternatively, the variance value generation unit may be [r, n _r (k), T _k (α _r )] (k = 1, ..., K-1, r = 1, ..., R), [r , n _r (θ), T _θ (α _r )] (θ = K,..., N, r = 1,..., R) may be output. In this case, the distributed data conversion device _{[r, n r (k)} , T k (α r)] from _{[r, n r (k)} , S k (α r)] to generate and output data recovery The device is [r, n _r (k), T _k (α _r )] (k = 1, ..., K-1), [r, n _r (θ), T _θ (α)] (θ = Restore the value α _r from any K [r, n _r (λ), T _λ (α _r )] (λ∈ {1, ..., N}) May be.

Alternatively, the variance value generation unit [r, T _k (α _r )] (k = 1, ..., K-1, r = 1, ..., R), [r, T _θ (α _r )] (θ = K, ..., N, r = 1, ..., R) may be output. In this case, the distributed data conversion device generates an _{[r, T k (α r} )] from _{[r, S k (α r} )] is output, the data restoration apparatus _{[r, T k (α r} )] (k = 1, ..., K-1), [r, T _θ (α)] (θ = K, ..., N) K [r, T _λ (α _r )] The value α _r may be restored from (λ∈ {1, ..., N}).

Alternatively, the variance value generation unit [r, k, T _k (α _r )] (k = 1, ..., K-1, r = 1, ..., R), [r, θ, T _θ (α _r )] (θ = K,..., N, r = 1,..., R) may be output. In this case, the distributed data conversion apparatus generates and outputs [r, k, S _k (α _r )] from [r, k, T _k (α _r )], and the data restoration apparatus [r, k, T _k (α _r )] (k = 1, ..., K-1), [r, θ, T _θ (α)] (θ = K, ..., N) , λ, T _λ (α _r )] (λ∈ {1,..., N}) may restore the value α _r . In addition, the dispersion value generation unit 217 may output other additional information as a dispersion value in addition to T _i (α).

The data amount of i, n (i) (i = 1,..., N) is smaller than the data amount of the elements of the set G. Preferably, the data amount of i, r, n _r (i) (i = 1, ..., N, r = 1, ..., R) is negligible with respect to the data amount of the elements of the set G (For example, (data amount of (i, r, n _r (i)) / (data amount of elements of set G) ≦ 80/10 ⁶ ).

[Third Embodiment]
Next, a third embodiment of the present invention will be described. This embodiment is a modification of the first embodiment, in which the elements included in the distribution value of the first embodiment are further secretly shared to further reduce the data amount. Below, it demonstrates centering on difference with the above-mentioned embodiment. The same reference numerals as those in the above-described embodiment are used for processing units and steps that are the same as those in the above-described embodiment, and the description will be simplified.
In the third embodiment, N and K are integers of 2 or more, K ≦ N, G is a certain set, and P (x) is a mapping in which a value corresponding to x is transferred to an element of the set G is there. Specific examples of the set G and mapping P (x) in the present embodiment are the same as the specific examples of the set G and mapping P (x) described in the first embodiment. K = N may be sufficient and K <N may be sufficient.

The secret sharing system according to the third embodiment includes a data distribution device, a data restoration device, N data storage devices, and N distributed data conversion devices.
The data distribution apparatus of this embodiment selects K−1 values v (k) (k = 1,..., K−1), and K−1 values a (k) = P (v ( k)) εG (k = 1,..., K−1) and the value f (n (K)). Where f (x) is f (n (k)) = a (k) (value n (1), ..., n (K-1) and value α∈G that is an element of the set G. A K−1 order expression satisfying k = 1,..., K−1) and f (n (0)) = α is f (x). n (0), n (1), ..., n (K) are different from each other. The data distribution apparatus secretly distributes v (k) (k = 1, ..., K-1) according to the (K, N) threshold secret distribution method V _{k and} N distributed values V for each k. _{k, i} (v (k)) (i = 1, ..., N) is obtained, and the value f (n (K)) is secretly distributed according to the (K, N) threshold secret sharing method U. Variance value U _i (f (n (K))) (i = 1, ..., N) and N variance values T _i (α) = (V _{1, i} (v (1)) , ..., V _{K-1, i} (v (K-1)), U _i (f (n (K)))) (i = 1, ..., N). Any method may be used as the (K, N) threshold secret sharing method V _k or the (K, N) threshold secret sharing method U. The (K, N) threshold secret sharing method U uses a method in which the data amount of one U _i (f (n (K))) is smaller than the data amount of one element of the set G desirable. For example, the method described in Reference 1 “H. Krawczyk,“ Secret sharing made short, ”CRYPTO'93, pp.136-146, 1993.” is used as the (K, N) threshold secret sharing scheme U. Desirable (details will be described later). It is desirable that the data amount of each of the variance values V _{k, i} (v (k)) (k = 1,..., K−1) is smaller than the data amount of elements of the set G. The (K, N) threshold secret sharing methods V ₁ ,..., V _K may or may not be the same method. Examples of the (K, N) threshold secret sharing method V _k are the method described in Reference 1 and the method described in Reference 1.

The data restoration apparatus according to the present embodiment uses K different n (μ) (μ) from K variance values T _λ (α) corresponding to K different λ∈ {1,. K values f (n (μ)) (μ = 1, ..., K) corresponding to = 1, ..., K) are obtained. For example, the data restoration apparatus may _calculate values f (n (K)) and v (k) from K variance values T _λ (α) corresponding to K different λ∈ {1,. ) (k = 1, ..., K-1) is restored and f (n (k)) = P (v (k)) (k = 1, ..., K-1) K values f (n (μ)) (μ = 1,..., K) corresponding to different n (μ) (μ = 1,..., K) are obtained. The data restoration device uses a function value F (n (0) of the K-1 degree expression F (x) that satisfies F (n (μ)) = f (n (μ)) )) = α is obtained.

The first,..., K−1th distributed data conversion apparatus of the present embodiment has K distributed values T _λ (α) (corresponding to K different λ∈ {1,. v (κ) (κ∈ {1, ..., K-1}) is restored from V _{κ, λ} (v (κ)) included in λ∈ {1, ..., N}), and v The transformation dispersion value P (v (κ)) (κ∈ {1,..., K−1}) is obtained from (κ). The K-th distributed data conversion apparatus according to the present embodiment includes K U _λ (f included in K distributed values T _λ (α) corresponding to K different λ∈ {1,. From (n (K))), a transform variance value f (n (K)) is obtained. The K + 1, ..., Nth distributed data converter of this embodiment is F (n (η) corresponding to n (η) different from n (μ) (μ = 1, ..., K). ) (η∈ {K + 1, ..., N}). Where F (x) is obtained from v (k) restored from K V _{k, λ} (v (k)) corresponding to K different λ∈ {1, ..., N}. F (n (k)) = P (v (k)) (k = 1, ..., K-1) and K different λ∈ {1, ..., N} For f (n (μ)) (μ = 1, ..., K) consisting of f (n (K)) restored from K U _λ (f (n (K))) It is a K-1 order equation satisfying F (n (μ)) = f (n (μ)) (μ = 1,..., K). The transform variance value obtained in this way is used as an input value for secret calculation. A specific example of the secret calculation is a secret calculation based on Shamir secret sharing disclosed in Non-Patent Document 2, for example. The secret calculation may be a unary operation or a multinomial operation.

Preferably, in this embodiment, the total data amount of values v (k) (k = 1,..., K−1) is smaller than the total data amount of K−1 elements of the set G. Preferably, in this embodiment, the data amount of any value v (k) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 6, the secret sharing system 3 according to the third embodiment includes a data distribution device 310, N data storage devices 320-i (i = 1,..., N), N distributed data. A conversion device 340-i (i = 1,..., N) and a data restoration device 330 are included. The data distribution device 310 can provide information to the N data storage devices 320-i (i = 1,..., N) via a network or a portable recording medium. Each of the N data storage devices 320-i (i = 1,..., N) is connected to the N distributed data conversion devices 340-i (i = 1) via a network or a portable recording medium. , ..., N) can exchange information. Each of the N distributed data conversion devices 340-i (i = 1,..., N) can provide information to each other via a network or a portable recording medium. Further, each of the N data storage devices 320-i (i = 1,..., N) can provide information to the data restoration device 330 via a network or a portable recording medium. It is.

  As illustrated in FIG. 7A, the data distribution apparatus 310 of this embodiment includes an input unit 111, an output unit 112, a memory 113, a control unit 314, a selection unit 115, a conversion unit 116, a calculation unit 316, and internal distribution units 318 and 319. And a variance value generation unit 317. The data distribution apparatus 310 according to this embodiment executes each process under the control of the control unit 314.

  As illustrated in FIG. 7B, the data storage device 320-λ (λε {1,..., N}) includes an input unit 121-λ, an output unit 122-λ, a memory 123a-λ, and a storage unit 123b-. λ, control unit 324-λ, and secret calculation unit 327-λ. The data storage device 320-λ of the present embodiment executes each process under the control of the control unit 324-λ.

  As illustrated in FIG. 8, the data restoration device 330 according to the present exemplary embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 334, a conversion unit 335, and a restoration unit 336. The conversion unit 335 includes internal restoration units 335a and 335b. The data restoration device 330 according to the present embodiment executes each process under the control of the control unit 334.

As illustrated in FIG. 9A, the distributed data conversion apparatus 340-κ (κε {1,..., K-1}) of this embodiment includes an input unit 141-κ, an output unit 142-κ, and a memory 143a-. κ, storage unit 143b-κ, control unit 344-κ, internal restoration unit 345-κ, and transform variance value generation unit 346-κ. As illustrated in FIG. 9B, the distributed data conversion apparatus 340-K according to the present embodiment includes an input unit 141-K, an output unit 142-K, a memory 143a-K, a storage unit 143b-K, a control unit 344-K, and A conversion variance value generation unit 346-K is included. As illustrated in FIG. 10, the distributed data conversion apparatus 340-η (ηε {K + 1,..., N}) of this embodiment includes an input unit 141-η, an output unit 142-η, and a memory 143a-. η, storage unit 143b-η, control unit 344-η, and conversion variance value generation unit 346-η.
The distributed data conversion apparatus 340-λ according to this embodiment executes each process under the control of the control unit 340-λ. Data input to the input unit 340-λ and data obtained by each process are stored in the memory 143a-λ and the storage unit 143b-λ, and data stored in the memory 143a-λ and the storage unit 143b-λ are necessary. Is read out and used for other processing.

<Data distribution processing>
As illustrated in FIG. 11A, a secret value αεG is input to the input unit 111 of the data distribution apparatus 310 (FIG. 7A) (step S111). The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112). Values v (k) (k = 1,..., K−1) are input to the conversion unit 116. The conversion unit 116 converts K−1 values a (k) = P (v (k)) ∈G (k = k) from the input values v (k) (k = 1,..., K−1). 1, ..., K-1) and outputs the K-1 values a (k) = P (v (k)) (k = 1, ..., K-1) ( Step S113).

  The value α input to the input unit 111 and the K−1 values a (k) = P (v (k)) (k = 1,..., K−1) output from the conversion unit 116 are as follows. Input to the calculation unit 316. The calculation unit 316 uses these to generate a value f (n (K)) and outputs the obtained value f (n (K)). Where f (x) is f (n (k)) = a (k) (k) for the values n (1), ..., n (K-1) and the value α∈G that is an element of the set G. = 1,..., K−1) and f (n (0)) = α. n (0), n (1),..., n (K) are different from each other (step S314). For example, the variance value generation unit 317 performs K−1 order satisfying f (n (k)) = a (k) (k = 1,..., K−1) and f (n (0)) = α. Each coefficient of the expression f (x) is obtained, and f (n (K)) is generated by substituting n (K) into the K-1 degree expression f (x) specified by them. n (0), n (1),..., n (K) may be made constant by the variance value generation unit 317 or may be a predetermined constant. Examples of n (0), n (1),..., n (K) are different integers, for example, different integers of 0 or more and K or less. As a specific example, n (0) = 0, n (μ) = μ (μ = 1,..., K). In this embodiment, n (0), n (1),..., N (K) are predetermined constants, and n (μ) corresponding to μ can be specified.

The K−1 values v (k) (k = 1,..., K−1) output from the selection unit 115 are input to the internal distribution unit 318, and the value f (n) output from the calculation unit 316 is output. (K)) is input to the internal distribution unit 319. The internal distribution unit 318 performs secret sharing for each of v (k) (k = 1,..., K−1) according to the (K, N) threshold secret sharing method V _k , Generate variance value V _{k, i} (v (k)) (i = 1, ..., N) and distribute value V _{k, i} (v (k)) (i = 1, ..., N, k = 1,..., K-1) are output (step S315). For example, according to the Shamir secret sharing scheme (see, for example, Non-Patent Document 1), the internal distribution unit 318 distributes the distributed values V _{k, i} (v (k)) (i = 1,..., N, k = 1,. .., K-1). The internal distribution unit 319 secretly distributes the value f (n (K)) according to the (K, N) threshold value secret distribution method U and N distributed values U _i (f (n (K))) (i = 1,..., N) is generated, and the variance value U _i (f (n (K))) (i = 1,..., N) is output (step S316). The internal dispersion unit 319 generates a dispersion value U _i (f (n (K))) (i = 1,..., N) according to, for example, the method described in Reference Document 1. A method of generating N distributed values U _i (τ) by secretly distributing τ = f (n (K)) ∈G according to the (K, N) threshold secret sharing method U will be exemplified.

[Example 1 of (K, N) threshold secret sharing method U]
The internal distribution unit 318 selects a common key d (for example, 128-bit data) of the common key cryptosystem, encrypts the value τ using the common key d, and uses the common key cryptosystem ciphertext C (d, τ). Is generated. The internal distribution unit 318 converts the ciphertext C (d, τ) to C (0), C satisfying C (d, τ) = C (0) | C (1) | ... | C (K−1). Divide into (1), ..., C (K-1). However, C (0) | C (1) | ... | C (K-1) represents a bit combination of C (0), C (1), ..., C (K-1). The internal dispersion unit 318 includes a K-th order polynomial γ (x) = Σ _{υ = 0} ^K−1 C (k) · C where k (k) (k = 0,..., K−1) is a kth order coefficient. x ^υ is determined, and N function values γ (i) mod q (i = 0,..., N−1) of the K-th order polynomial γ (x) are obtained. Here, q is a prime number larger than C (0), C (1),..., C (K-1). The internal sharing unit 318 secretly distributes the common key d according to the (K, N) threshold secret sharing method such as the Shamir secret sharing method, and distributes N distributed values SH (1, d), ..., SH (N, d) and a variance value U _i (τ) = (γ (i) mod q, SH (i, d)) (i = 0,..., N−1) is generated.
[Example 2 of (K, N) threshold secret sharing method U]
The internal distribution unit 318 selects a random value d, d (0),..., D (N−2) ∈ {0, 1} ^ξ of ξ bits (for example, 128 bits), and d is a common key encryption The common key of the scheme is d (N-1) = dd (0) -...- d (N-2) mod 2 ^ξ . The internal distribution unit 318 encrypts the value τ using the common key d, and generates a ciphertext C (d, τ) in the common key cryptosystem. The internal distribution unit 318 converts the ciphertext C (d, τ) to C (0), C satisfying C (d, τ) = C (0) | C (1) | ... | C (K−1). Divide into (1), ..., C (K-1). The internal dispersion unit 318 includes a K-th order polynomial γ (x) = Σ _{υ = 0} ^K−1 C (k) · C where k (k) (k = 0,..., K−1) is a kth order coefficient. x ^υ is determined, and N function values γ (i) mod q (i = 0,..., N−1) of the K-th order polynomial γ (x) are obtained. The internal dispersion unit 318 has dispersion values U _i (τ) = (d (i mod N),..., D (i + N−2 (mod N)), γ (i) mod q) (i = 0 , ..., N-1) (end of [[K, N) threshold secret sharing method U] end).

Variance V _{k, i} (v (k)) (i = 1, ..., N, k = 1, ..., K-1) and variance U _i (f (n (K))) (i = 1,..., N) is input to the variance value generation unit 317. The variance value generation unit 317 uses these to calculate N variance values T _i (α) = (V _{1, i} (v (1)),..., V _{K−1, i} (v (K−1) )), U _i (f (n (K)))) (i = 1, ..., N) and outputs variance T _i (α) (i = 1, ..., N) (Step S317).

N variance values T _i (α) (i = 0,..., N−1) are input to the output unit 112, and the output unit 112 outputs N variance values T _i (α) (i = 0, ..., N-1) are output (step S315). Each of the output variance values T _i (α) (i = 0,..., N−1) is provided to each of the data storage devices 320-i (i = 1,..., N). . For example, the dispersion value T _λ (α) (λε {1,..., N}) is transmitted to the corresponding data storage device 320-λ (FIG. 2B) via a network or the like. The dispersion value T _λ (α) provided to the data storage device 320-λ is input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Distributed data conversion processing>
A distributed data conversion process executed by the distributed data conversion apparatus 340-λ (λε {1,..., N}) will be described with reference to FIGS.
[Processing of Distributed Data Conversion Device 340-κ (κε {1,..., K-1}) (FIG. 12A)]
The distribution stored in the storage unit 123b-λ from the output unit 122-λ of the K data storage devices 320-λ (FIG. 7B) corresponding to K different λ∈ {1,..., N}. V _{κ, λ} (v (κ)) included in the value T _λ (α) is output. K V _{κ, λ} (v (κ)) corresponding to K different λ∈ {1,..., N} are distributed via the network or the like to the distributed data converter 340-κ (κ .Epsilon. {1,..., K-1}) (FIG. 9A) is input to the input unit 141-κ and stored in the storage unit 143b-κ (step S341-κ).

The internal restoration unit 345-κ stores K V _{κ, λ} (v (κ)) corresponding to K different λ∈ {1,..., N} stored in the storage unit 143b-κ. V (κ) is restored from the above, and the obtained v (κ) is output (step S342-κ). For example, if V _{κ, λ} (v (κ)) is a distributed value generated according to the Shamir secret sharing scheme, the internal restoration unit 345-κ may perform K V _{κ, λ} (v ( K-1) f (x) satisfying V _{κ, λ} (v (κ)) = f (v (κ)) with respect to κ)) is obtained, and f (0) = v (κ) is generated. .

v (κ) is input to the transformed variance generation unit 346-κ. The variances value generator 346-kappa, v conversion variance from _{(κ) S κ (α)} = calculates the P (v (κ)), said transformation variance _{S κ (α) = P (} v (κ )) Is output (step S343-κ). The transformed variance value S _κ (α) is input to the output unit 142-κ, and the output unit 142-κ outputs the transformed variance value S _κ (α) (step S344-κ). The transformed variance value S _κ (α) is transmitted to the corresponding data storage device 320-κ (FIG. 7B) via a network or the like. The transformed variance value S _κ (α) is input to the input unit 121-κ of the data storage device 320-κ and stored in the storage unit 123b-κ.

[Processing of Distributed Data Conversion Device 340-K (FIG. 12B)]
The distribution stored in the storage unit 123b-λ from the output unit 122-λ of the K data storage devices 320-λ (FIG. 7B) corresponding to K different λ∈ {1,..., N}. U _λ (f (n (K))) included in the value T _λ (α) is output. K U _λ (f (n (K))) corresponding to K different λ∈ {1,..., N} are transmitted via a network or the like to the distributed data conversion device 340-K ( The data is input to the input unit 141-K in FIG. 9B and stored in the storage unit 143b-K (step S341-K).

The transformed variance generation unit 346-K restores f (n (K)) from the K U _λ (f (n (K))) stored in the storage unit 143b-K, and the obtained f (n (K)) is output as the transformed variance value S _K (α) = f (n (K)) (step S342-K). Hereinafter, a method of restoring f (n (K)) from K U _λ (f (n (K))) will be exemplified.

[Example 1 of f (n (K)) restoration method]
When U _λ (f (n (K))) is generated in accordance with [Example 1 of (K, N) threshold secret sharing method U], the transform distribution value generation unit 346-K includes K U _λ (f (n (K))) = (γ (λ), SH (λ, d)) contains K γ (λ), and K-order polynomial γ (x) = Σ _υ modulo q _{= 0} ^K-1 C (υ) · x ^υ coefficient C (0) mod q, C (1) mod q, ..., C (K-1) mod q is obtained and ciphertext C (d, f (n (K))) = C (0) mod q | C (1) mod q | ... | C (K-1) mod q is generated. The coefficients C (0) mod q, C (1) mod q, ..., C (K-1) mod q are (x, γ (x)) = (k, γ (k)) It is obtained by solving the equation obtained by substituting into the polynomial γ (x). The transform variance value generation unit 346-K generates from K SH (λ, d) included in K U _λ (f (n (K))) = (γ (λ), SH (λ, d)). The common key d is restored, and the value f (n (K)) is restored by decrypting the ciphertext C (d, f (n (K))) using the common key d.

[Example 2 of f (n (K)) restoration method]
When U _λ (f (n (K))) is generated in accordance with [Example 2 of (K, N) threshold secret sharing method U], the transformed distribution value generation unit 346-K performs K distributions. The value U _λ (f (n (K))) = (d (λ mod N), ..., d (λ + N-2 (mod N)), γ (λ)) contains K γ ( λ), the coefficients C (0) mod q, C (1) mod q, ..., C (K-1) mod q of the Kth order polynomial γ (x) modulo q are obtained, and the ciphertext C (d, f (n (K))) = C (0) mod q | C (1) mod q | ... | C (K-1) mod q is generated. The transform variance value generation unit 346-K includes K variance values U _λ (f (n (K))) = (d (λ mod N),..., D (λ + N−2 (mod N)). ), γ (λ)) contains d (λ mod N), ..., d (λ + N-2 (mod N)), and the common key d = d (0) + ... + d (N- 1) Mod 2 ^ζ is calculated, and the value f (n (K)) is restored by decrypting the ciphertext C (d, f (n (K))) using the common key d ([f (n Example of restoration method of (K))] End).

The transformed variance value S _K (α) is input to the output unit 142-K, and the output unit 142-K outputs the transformed variance value S _K (α) (step S343-K). The transformed variance value S _K (α) is transmitted to the corresponding data storage device 320-K (FIG. 7B) via a network or the like. The transformed variance value S _K (α) is input to the input unit 121-K of the data storage device 320-K and stored in the storage unit 123b-K.

[Processing of Distributed Data Conversion Device 340-η (η∈ {K + 1,..., N})] (FIG. 12C)]
The transform variance value generation unit 346-η of the distributed data converter 340-η (η∈ {K + 1,..., N}) (FIG. 10) performs n (1),. F (n (η)) corresponding to n (η) different from the above is generated, and F (n (η)) is output as the transformed dispersion value S _η (α) = F (n (η)). Where F (x) is obtained from v (k) restored from K V _{k, λ} (v (k)) corresponding to K different λ∈ {1, ..., N}. F (n (k)) = P (v (k)) (k = 1, ..., K-1) and K different λ∈ {1, ..., N} For f (n (μ)) (μ = 1, ..., K) consisting of f (n (K)) restored from K U _λ (f (n (K))) It is a K-1 order equation satisfying F (n (μ)) = f (n (μ)) (μ = 1,..., K).

A simple method is to _calculate K V _{k, λ} (v (k)) for each of K U _λ (f (n (K))) and k (k = 1, ..., K-1). Are input to the conversion variance value generation unit 346-η, and the conversion variance value generation unit 346-η restores f (n (μ)) (μ = 1,..., K) from these, This is a method of generating a transformed dispersion value S _η (α) = F (n (η)) by using. Alternatively, S ₁ (α),..., S _K (α) output from the transform variance value generators 346-1 to 34-1 to _K are input to the transform variance value generator 346 -η, and the transform variance value generator 346. −η is a method of generating a transformed dispersion value S _η (α) = F (n (η)) using these. However, from the viewpoint of security, f (n (μ)) (μ = 1,..., K) is not known in the distributed data converter 340-η, and the distributed data converter 340-η converts it. A method capable of generating the dispersion value S _η (α) = F (n (η)) is desirable. That is, if the distributed data conversion device 340-η obtains f (n (μ)) (μ ≠ η) other than f (n (η)), less than K distributed data conversion devices 340-η are predetermined. This is because the value α can be restored by performing the above process, and the secret sharing requirement may not be satisfied. In the following, the distributed data conversion device 340-η does not restore f (n (μ)) (μ = 1,..., K), and the converted distributed value S _η (α) = F (n (η) ) Is exemplified.

The transformed dispersion value generation unit 346-η of the distributed data converter 340-η (η∈ {K + 1,..., N}) (FIG. 10) performs the following operation: Rnd _{η, 1} +... + Rnd _{η, K} = 0 Rnd _{η, 1} ,..., Rnd _{η, K} that are to be selected are randomly selected from a predetermined range, and these are input to the output unit 142-η. The output unit 142-η outputs Rnd _{η, 1} ,..., Rnd _{η, K} (step S341-η). The output Rnd _{η, κ} (κε {1,..., K-1}) is provided to the distributed data conversion device 340-κ (FIG. 9A) via the network or the like, and the distributed data conversion device 340 is provided. The signal is input to the input unit 141-κ of −κ and stored in the storage unit 143b-κ. The output Rnd _{η, K} is provided to the distributed data conversion device 340-K (FIG. 9B) via a network or the like, and is input to the input unit 141-K of the distributed data conversion device 340-K to be stored in the storage unit 143b. Stored in -K.

Q_κ,ηは出力部１４２−κから出力され、ネットワーク等を経由して分散データ変換装置３４０−ηに提供される。 The transform variance value generation unit 346-κ of the distributed data converter 340-κ (κε {1,..., K-1}) performs Q _{κ, η} = f (n (κ)) · L _κ (η ) + Rnd _κ (Rnd _κ = Rnd _{1, κ} + ... + Rnd _{K, κ} , η∈ {K + 1, ..., N}) and outputs the obtained Q _{κ, η} . However, f (n (κ)) = P (v (κ)), and L _κ (η) satisfies the following.

Q _{κ, η} is output from the output unit 142-κ and provided to the distributed data conversion device 340-η via a network or the like.

Q_K,ηは出力部１４２−Ｋから出力され、ネットワーク等を経由して分散データ変換装置３４０−ηに提供される。 Similarly, the conversion variance value generation unit 346-K of the distributed data conversion device 340-K includes Q _{K, η} = f (n (K)) · L _K (η) + Rnd _K (Rnd _K = Rnd _{1, K} + ... + Rnd _{K, K} , η∈ {K + 1, ..., N}) is calculated, and the obtained Q _{K, η} is output. However, L _K (η) satisfies the following.

Q _{K, η} is output from the output unit 142-K and provided to the distributed data conversion device 340-η via a network or the like.

Q _{1, η} , ..., Q _{K, η} are input to the input unit 141-η of the distributed data converter 340-η (η∈ {K + 1, ..., N}) (FIG. 10). And stored in the storage unit 143b-η (step S342-η). The conversion variance value generator 346-η generates a conversion variance value S _η (α) = F (n (η)) as follows, and outputs the generated conversion variance value S _η (α) (step S343). −η).

In the above processing, Q _{1, η} ,..., Q _{K, η} provided from the conversion variance value generation units 346-1 to 346 -K to the conversion variance value generation unit 346 -η are random values Rnd _{η, 1} , …, Rnd _{η, K} , f (n (κ)) · L _κ (n (η)) (κ∈ {1, ..., K-1}) and f (n (K)) · L _K ( n (η)) information is kept secret. On the other hand, since Rnd _K = Rnd _{1, K} + ... + Rnd _{K, K} , Rnd _{η, 1} +... + Rnd _{η, K} = 0, the following holds.

The transformed variance value S _η (α) is input to the output unit 142-η, and the output unit 142-η outputs the transformed variance value S _η (α) (step S344-η). The transformed variance value S _η (α) is transmitted to the corresponding data storage device 320-η (ηε {K + 1,..., N}) (FIG. 7B) via a network or the like. The transformed variance value S _η (α) is input to the input unit 121-η of the data storage device 320-η and stored in the storage unit 123b-η.
<Distributed value provision / secret calculation>
Similar to the first embodiment, the data storage devices 320-λ (FIG. 7B) corresponding to K different λ∈ {1,..., N} are distributed values T stored in the storage unit 123b-λ. _λ (α) is output, or secret calculation is performed by the secret calculation unit 327-λ and a variance value E _λ representing the result is output. These are sent to the data restoration device 330 via a network or the like.

<Data restoration processing>
As illustrated in FIG. 13, the input unit 131 of the data restoration device 330 (FIG. 8) has K variance values T _λ (corresponding to K different λ∈ {1,..., N}. α) or K dispersion values E _λ are input (step S331). The control unit 134 determines whether K dispersion values T _λ (α) are input or K dispersion values E _λ are input (step S332).

If it is determined in step S 332 that K dispersion values T _λ (α) have been input, these K dispersion values T _λ (α) are input to the conversion unit 335. The conversion unit 335 generates K different n (μ) (μ = 1, μ) from K dispersion values T _λ (α) corresponding to K different λ∈ {1,. ..., K) corresponding to K values f (n (μ)) (μ = 1, ..., K). First, the internal restoration unit 335a of the conversion unit 335 generates a value f (n) from K variance values T _λ (α) corresponding to the input K different λ∈ {1,..., N}. (K)) and v (k) (k = 1, ..., K-1) and restore the values f (n (K)) and v (k) (k = 1, ..., K- 1) is output (step S333). A specific example of this process is as described in step S342-κ and step S342-K.

  The values f (n (K)) and v (k) (k = 1,..., K−1) are input to the coordinate restoration unit 335b. The coordinate restoration unit 335b calculates P (v (k)) (k = 1, ..., K-1) from v (k) (k = 1, ..., K-1), Let f (n (k)) = P (v (k)) (k = 1, ..., K-1). The coordinate restoration unit 335b includes K values f including the input value f (n (K)) and f (n (k)) (k = 1,..., K−1) obtained by calculation. (n (μ)) (μ = 1,..., K) is output (step S334).

  K values f (n (μ)) (μ = 1,..., K) are input to the restoration unit 336. The restoration unit 336 performs F (n (μ)) = f (n (μ)) (μ = 1 for these K values f (n (μ)) (μ = 1,..., K). ,..., K), the function value F (n (0)) = α of the K−1 linear expression F (x) is generated, and the value α obtained thereby is output (step S335). A specific example of this process is as described in step S134. The value α is input to and output from the output unit 132 (step S135).

On the other hand, if it is determined in step S332 that the variance value E _λ has been input, the restoration unit 336 performs the processing in steps S136 and S137 described in the first embodiment.

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. For example, when the data amount of each value v (k) (k = 1, ..., K-1) is sufficiently smaller than the data amount of the elements of the set G (for example, (v (m) each data amount ) / (Data amount of elements of set G) ≦ 80/10 ⁶ ), variance value T _i (α) = (V _{1, i} (v (1)), ..., V _K-1, The data amount of _i (v (K-1)), U _i (f (n (K))) can be regarded as the data amount of U _i (f (n (K))). If the data amount of the variance value U _i (f (n (K))) is smaller than the data amount of the elements of the set G, the data amount of the variance value T _i (α) of this embodiment is It becomes smaller than the data amount of the variance value. For example, when the distributed value U _i (f (n (K))) is generated by the method of Reference Document 1, if the data amount of the distributed value of the common key d is ignored, the distributed value U _i (f (n ( The data amount of K))) can be regarded as approximately 1 / K times the data amount of the elements of the set G. Therefore, the total data amount of the distributed value is approximately N / K times the original data α, the total data amount of the distributed value necessary for restoration is almost equal to the data amount of the original data α, both of which are data compared to Shamir secret sharing The amount can be reduced to about 1 / K times.

  Furthermore, the distributed data conversion process in the distributed data conversion device generates a converted distributed value that can be used as an input for the secret calculation without restoring the original value α from the distributed value obtained by the data distribution device. It is also possible to execute a secret calculation.

In this embodiment, the variance value generation unit 317 has N variance values T _i (α) = (V _{1, i} (v (1)),..., V _{K−1, i} (v (K -1)), U _i (f (n (K)))) (i = 1, ..., N). However, the variance value generation unit may output [n (1),..., N (K), T _i (α)] (i = 1,..., N). The distributed data converter generates and outputs [n (i), S _i (α)], and the data restoration device outputs any K [n (1), ..., n (K), T _λ (α)] The value α may be restored from (λ∈ {1,..., N}). In addition, the dispersion value generation unit 317 may output other additional information as a dispersion value in addition to T _i (α).

The data amount of n (i) (i = 1,..., N) is smaller than the data amount of the elements of the set G. Preferably, the data amount of n (i) (i = 1, ..., N) is negligible with respect to the data amount of the elements of the set G (for example, (n (i) each data amount ) / (Data amount of elements of set G) ≦ 80/10 ⁶ ).
[Fourth Embodiment]
Next, a fourth embodiment of the present invention will be described. This embodiment is a modification of the third embodiment, and the data value of the distributed value is further reduced by diverting the same value v (k) to a plurality of secret shares. Below, it demonstrates centering on difference with the above-mentioned embodiment. The same reference numerals as those in the above-described embodiment are used for processing units and steps that are the same as those in the above-described embodiment, and the description will be simplified.
In the fourth embodiment, N, K, and R are integers of 2 or more, K ≦ N, G is a certain set, and P (x) moves a value corresponding to x to an element of the set G It is a mapping. Specific examples of the set G and mapping P (x) in the present embodiment are the same as the specific examples of the set G and mapping P (x) described in the first embodiment. K = N may be sufficient and K <N may be sufficient.

The secret sharing system according to the fourth embodiment includes a data sharing device, a data restoration device, N data storage devices, and N distributed data conversion devices.
The data distribution apparatus of this embodiment selects K−1 values v (k) (k = 1,..., K−1), and sets values corresponding to r and value v (k) to z ( r, v (k)) and K-1 values for each r a _r (k) = P (z (r, v (k))) (r = 1, ..., R, k = 1, ..., K-1) and the value f _r (n _r (K)). However, the values n _r (0), n _r (1), ..., n _r (K) corresponding to the same r are different from each other, and the values n _r (1), ..., n _r (K- F _r (n _r (k)) = a _r (k) (k = 1, ..., K-1) and f _r (n _r ) for 1) and the value α _r ∈G which is an element of the set G A K−1 order expression satisfying (0)) = α _r is f _r (x). The data distribution apparatus secretly distributes v (k) (k = 1, ..., K-1) according to the (K, N) threshold secret distribution method V _{k and} N distributed values V for each k. _{k, i} (v (k)) (i = 1, ..., N), and for each _r , the value f _r (n _r (K) according to the (K, N) threshold secret sharing scheme U _r ) To obtain N distributed values U _{r, i} (f _r (n _r (K))) (i = 1, ..., N) and r (r = 1, ..., N variance values T _i (α _r ) = (V _{r, 1, i} (v (1)), ..., V _{r, K-1, i} (v (K-1)) for each of R) ), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N). However, at least _one of V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is the variance value V _{k, i} (v (k)) . Any scheme may be used as the (K, N) threshold secret sharing scheme _Ur . In the (K, N) threshold secret sharing scheme U _r , the data amount of one U _{r, i} (f _r (n _r (K))) is smaller than the data amount of one element of the set G Is desirable to be used. For example, the method described in reference 1 (K, N) is desirably used as a threshold secret sharing scheme U _r. (K, N) threshold secret sharing scheme U _1, ..., U _R may be the same type to each other, or not.

The data restoration apparatus according to the present embodiment is configured such that for each of r (r = 1,..., R), K dispersion values T _λ corresponding to K different λ∈ {1,. From (α _r ), values f _r (n _r (μ)) (μ = 1, ..., K corresponding to K different n _r (μ) (μ = 1, ..., K) ) And for each of r (r = 1, ..., R), F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K) A function value F _r (n _r (0)) = α _r of the K−1 linear expression F _r (x) that satisfies is obtained. For example, the data restoration apparatus, for each of r (r = 1,..., R), has a variance value T _λ (α _r ) corresponding to K different λ∈ {1,. From the values f _r (n _r (K)) (r = 1, ..., R) and v (k) (k = 1, ..., K-1) and r (r = 1 , ..., R) for each of f _r (n _r (k)) = P (z (r, v (k))) (k = 1, ..., K-1) Values f _r (n _r (μ)) (μ = 1,..., K) corresponding to different n _r (μ) (μ = 1,..., K).

The first,..., K−1th distributed data conversion apparatus of the present embodiment has a distributed value T _λ (α _r ) (λ∈ corresponding to K different λ∈ {1,..., N}. V (κ) (κ∈ {1, ..., K-1}) is restored from V _{κ, λ} (v (κ)) included in {1, ..., N}), and r (r For each of = 1,..., R), a transformed dispersion value P (z (r, v (κ)) (κ∈ {1,..., K−1}) is obtained from v (κ). The K-th distributed data conversion apparatus according to this embodiment includes U _{r, λ} (f _r (n) included in the distributed values T _λ (α _r ) corresponding to K different λ∈ {1,. _r (K))) to obtain the transformed variance value f _r (n _r (K)) (r = 1, ..., R) .K + 1, ..., Nth variance data of this embodiment The converter is F _r (n _r (η)) (η∈ {K + 1, ...) corresponding to n _r (η) different from n _r (μ) (μ = 1, ..., K). , N}), where F _r (x) is the variance T _λ (α _r ) (λ∈ {1,. .., N}) f _r (n _r (k)) = P (z (r, v (k)) obtained from v (k) restored from V _{k, λ} (v (k)) ) (r = 1, ..., R, k = 1, ..., K-1) and K different λ∈ {1, .. , N}, the transformed variance f _r (n _r (K)) (r that is restored from U _{r, λ} (f _r (n _r (K))) included in the variance T _λ (α _r ) = 1, ..., R), f _r (n _r (μ)) (μ = 1, ..., K) and F _r (n _r (μ)) = f _r (n _r (μ)) is a K-1 order equation that satisfies (μ = 1, ..., K), and the transformation variance obtained in this way is used as the input value for the secret calculation. Is a secret calculation based on Shamir secret sharing disclosed in, for example, Non-Patent Document 2. The secret calculation may be a unary operation or a multinomial operation.

Preferably, in this embodiment, the data amount of the variance value U _{r, i} (f _r (n _r (K))) is smaller than the data amount of the elements of the set G. Preferably, in this embodiment, the data amount of each of the variance values V _{r, k, i} (v (k)) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 6, the secret sharing system 4 according to the fourth embodiment includes a data sharing device 410, N data storage devices 420-i (i = 1,..., N), N shared data. A conversion device 440-i (i = 1,..., N) and a data restoration device 430 are included. The data distribution device 410 can provide information to the N data storage devices 420-i (i = 1,..., N) via a network or a portable recording medium. Each of the N data storage devices 420-i (i = 1,..., N) is connected to the N distributed data conversion devices 440-i (i = 1) via a network or a portable recording medium. , ..., N) can exchange information. Each of the N distributed data converters 440-i (i = 1,..., N) can provide information to each other via a network or a portable recording medium. Further, each of the N data storage devices 420-i (i = 1,..., N) can provide information to the data restoration device 430 via a network or a portable recording medium. It is.

  As illustrated in FIG. 7A, the data distribution apparatus 410 of this embodiment includes an input unit 111, an output unit 112, a memory 113, a control unit 314, a selection unit 115, a division unit 211, a conversion unit 216, and internal distribution units 318 and 419. And a variance value generation unit 417. The data distribution apparatus 410 according to this embodiment executes each process under the control of the control unit 414.

  As illustrated in FIG. 7B, the data storage device 420-λ (λε {1,..., N}) includes an input unit 121-λ, an output unit 122-λ, memories 123a-λ, and a storage unit 123b-. λ, control unit 324-λ, and secret calculation unit 427-λ. The data storage device 420-λ of this embodiment executes each process under the control of the control unit 424-λ.

  As illustrated in FIG. 8, the data restoration device 430 of this embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 434, a conversion unit 435, a restoration unit 436, and a combining unit 237. The conversion unit 435 includes internal restoration units 435a and 435b. The data restoration device 430 according to this embodiment executes each process under the control of the control unit 434.

As illustrated in FIG. 9A, the distributed data conversion apparatus 440-κ (κε {1,..., K-1}) of this embodiment includes an input unit 141-κ, an output unit 142-κ, and a memory 143a-. κ, a storage unit 143b-κ, a control unit 444-κ, an internal restoration unit 445-κ, and a transform variance value generation unit 446-κ. As illustrated in FIG. 9B, the distributed data conversion apparatus 440-K according to the present embodiment includes an input unit 141-K, an output unit 142-K, a memory 143a-K, a storage unit 143b-K, a control unit 444-K, and A conversion variance value generation unit 446-K is included. As illustrated in FIG. 10, the distributed data conversion apparatus 440-η (ηε {K + 1,..., N}) of this embodiment includes an input unit 141-η, an output unit 142-η, and a memory 143a-. η, a storage unit 143b-η, a control unit 444-η, and a transform variance value generation unit 446-η.
The distributed data conversion apparatus 440-λ according to this embodiment executes each process under the control of the control unit 440-λ. Data input to the input unit 440-λ and data obtained by each process are stored in the memory 143a-λ and the storage unit 143b-λ, and data stored in the memory 143a-λ and the storage unit 143b-λ are necessary. Is read out and used for other processing.

<Data distribution processing>
As illustrated in FIG. 14, a value α to be secretly shared is input to the input unit 111 of the data distribution device 310 (FIG. 7A) (step S111). The value α is input to the dividing unit 211. Dividing unit 211, R number of values alpha _r ∈G value alpha is an element of the set G (r = 1, ..., R) is divided into, R number of values α _{r (r} = 1, .. ., R) is output (step S211). The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112). Values v (k) (k = 1,..., K−1) are input to the conversion unit 216. The converting unit 216 sets z (r, v (k)) as a value corresponding to r and the value v (k), and K−1 values a _r (k) = P (z) for each of _r. (r, v (k))) (r = 1, ..., R, k = 1, ..., K-1) and generates (K-1) x R values a _r ( k) = P (z (r, v (k))) (r = 1,..., R, k = 1,..., K-1) is output (step S213).

The values α _r (r = 1,..., R) output from the dividing unit 211 and the (K−1) × R values a _r (k) = P (z) output from the converting unit 216. (r, v (k))) (r = 1,..., R, k = 1,..., K−1) is input to the calculation unit 416. The calculation unit 416 generates values f _r (n _r (K)) (r = 1,..., R) using these, and the obtained values f _r (n _r (K)) (r = 1, ..., R) is output. However, f _r (x) is the value _{n r (1), ...,} n r (K-1) and an element of the set G value alpha _r ∈G and for _{f r (n r (k)} ) = It is a K−1 order expression satisfying a _r (k) (k = 1,..., K−1) and f _r (n _r (0)) = α _r . The values n _r (0), n _r (1),..., N _r (K) corresponding to the same r are different from each other (step S414). For example, the variance value generation unit 417 generates f _r (n _r (k)) = a _r (k) (k = 1,..., K−1) and f _r (n _r (0)) = α _r It obtains the coefficients of a met K-1 linear equation f _r (x), which f by substituting n _r (K) in K-1 linear equation f _r (x) specified by _r (n _r ( K)) is generated. n _r (0), n _r (1),..., n _r (K) may be fixed by the variance value generation unit 417 or may be a predetermined constant. Examples of n _r (0), n _r (1),..., n _r (K) are different integers, for example, different integers of 0 to K. As a specific example, n _r (0) = 0, n _r (μ) = μ (μ = 1,..., K). In this embodiment, n _r (0), n _r (1),..., N _r (K) are predetermined constants, and a case where n _r (μ) corresponding to μ can be specified is illustrated. .

The K−1 values v (k) (k = 1,..., K−1) output from the selection unit 115 are input to the internal distribution unit 318 and the values f _r ( n _r (K)) (r = 1,..., R) is input to the internal dispersion unit 419. The internal distribution unit 318 performs secret sharing for each of v (k) (k = 1,..., K−1) according to the (K, N) threshold secret sharing method V _k , Generate variance value V _{k, i} (v (k)) (i = 1, ..., N) and distribute value V _{k, i} (v (k)) (i = 1, ..., N, k = 1,..., K-1) are output (step S315). For each r, the internal distribution unit 419 secretly distributes the value f _r (n _r (K)) according to the (K, N) threshold value secret distribution method U _r and N distributed values U _{r, i} (f _r (n _r (K))) (i = 1, ..., N) and the variance U _{r, i} (f _r (n _r (K))) (i = 1, ..., N, r = 1,..., R) are output (step S416). In step S416, for example, the above-described [(K, N) threshold secret sharing method U example 1, 2] is executed with τ = f _r (n _r (K)).

Variance V _{k, i} (v (k)) (i = 1, ..., N, k = 1, ..., K-1) and variance U _{r, i} (f _r (n _r (K ))) (i = 1,..., N) are input to the variance value generation unit 417. The variance value generation unit 417 uses these to calculate N variance values T _i (α _r ) = (V _{r, 1, i} (v (1)) for each of r (r = 1,. ), ..., V _{r, K-1, i} (v (K-1)), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N) and R × N variances T _i (α _r ) = (V _{r, 1, i} (v (1)), ..., V _{r, K -1, i} (v (K-1)), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N) Is output (step S417). However, at least _one of V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is the variance value V _{k, i} (v (k)) . All of R V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) may be V _{k, i} (v (k)) And only one of R V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is V _{k, i} (v (k)) There may be. V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) that are not V _{k, i} (v (k)) It may be a parameter such as r or R. An example of V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is V _{1, k, i} (v (k)) = V _{k, i} (v (k)), V _{2, k, i} (v (k)) = ... = V _{R, k, i} (v (k) = φ, where φ represents a null value.

R × N variance values T _i (α _r ) (i = 1, ..., N, r = 1, ..., R) are input to the output unit 112, and the output unit 112 has N variances. The values T _i (α _r ) (i = 1,..., N, r = 1,..., R) are output (step S418). Each of the output variance values T _i (α _r ) (i = 1,..., N, r = 1,..., R) corresponds to the data storage device 420-i (i = 1,. ), N). For example, the dispersion value T _λ (α _r ) (λ∈ {1,..., N}, r = 1,..., R) is transmitted via the network or the like to the corresponding data storage device 420-λ. (FIG. 7B). The dispersion value T _λ (α _r ) (r = 1,..., R) provided to the data storage device 420-λ is input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Distributed data conversion processing>
A distributed data conversion process executed by the distributed data conversion apparatus 440-λ (λε {1,..., N}) will be described with reference to FIGS.
[Processing of Distributed Data Conversion Device 440-κ (κε {1,..., K-1}) (FIG. 15A)]
The distribution stored in the storage unit 123b-λ from the output unit 122-λ of the K data storage devices 420-λ (FIG. 7B) corresponding to K different λ∈ {1,. V _{r, κ, λ} (v (κ)) (r = 1,..., R) included in the value T _λ (α _r ) (r = 1,..., R) is output. V _{r, κ, λ} (v (κ)) (r = 1, ..., R) corresponding to K different λ∈ {1, ..., N} via a network etc. The distributed data converter 440-κ (κε {1,..., K-1}) (FIG. 9A) is input to the input unit 141-κ and stored in the storage unit 143b-κ (step S441-). κ).

The internal restoration unit 345-κ stores the variance values T _λ (α _r ) (λ∈ {1) corresponding to K different λ∈ {1,..., N} stored in the storage unit 143b-κ. , ..., N}, r = 1, ..., R) contains V _{κ, λ} (v (κ)) and v (κ) (κ∈ {1, ..., K-1} ) And v (κ) obtained are output (step S442-κ). A specific example of a method for restoring v (κ) (κε {1,..., K-1}) from V _{κ, λ} (v (κ)) is as described in the third embodiment.

v (κ) is input to the transformed variance generation unit 446-κ. For each of r (r = 1,..., R), the transform variance value generation unit 446-κ converts the transform variance value P (z (r, v (κ)) (κ∈ {1 , ..., K-1}) and outputs the transformation variance S _κ (α _r ) = P (z (r, v (κ)) (r = 1, ..., R) The transformed dispersion value S _κ (α _r ) (r = 1,..., R) is input to the output unit 142-κ, and the output unit 142-κ outputs the transformed dispersion value S _κ (α _r ) (r = 1, ..., and it outputs the R) (step S444-kappa). conversion variance _{S κ (α r) (r} = 1, ..., R) , via a network or the like, the corresponding data The transformed dispersion value S _κ (α _r ) (r = 1,..., R) is input to the input unit 121-κ of the data storage device 420-κ. And stored in the storage unit 123b-κ.

[Processing of Distributed Data Conversion Device 340-K (FIG. 15B)]
The distribution stored in the storage unit 123b-λ from the output unit 122-λ of the K data storage devices 420-λ (FIG. 7B) corresponding to K different λ∈ {1,. U _{r, λ} (f _r (n _r (K))) (r = 1,..., R) included in the value T _λ (α _r ) is output. U _{r, λ} (f _r (n _r (K))) (r = 1,...) Included in the variance values T _λ (α _r ) corresponding to K different λ∈ {1, ..., N}. ., R) are input to the input unit 141-K of the distributed data conversion apparatus 440-K (FIG. 9B) via the network or the like and stored in the storage unit 143b-K (step S441-K). .

The transform variance value generation unit 446-K stores U _{r, λ} (f _r (n _r (n) corresponding to K different λ∈ {1,..., N} stored in the storage unit 143b-K. K))) Restore f _r (n _r (K)) (r = 1, ..., R) from (r = 1, ..., R) and obtain f _r (n _r (K )) Is output as the transformation variance S _K (α _r ) = f _r (n _r (K)) (r = 1,..., R) (step S442-K). A specific example of the process for restoring f _r (n _r (K)) is U _λ (f (n (K))), In this process, f (n (K)) is replaced with U _λ (f _r (n _r (K))) and f _r (n _r (K)).

The transformed variance value S _K (α _r ) (r = 1,..., R) is input to the output unit 142 -K, and the output unit 142 -K outputs the transformed variance value S _K (α _r ) (r = 1, ..., R) are output (step S443-K). The transformed variance value S _K (α _r ) (r = 1,..., R) is transmitted to the corresponding data storage device 420-K (FIG. 7B) via a network or the like. The transformed variance value S _K (α _r ) (r = 1,..., R) is input to the input unit 121-K of the data storage device 420-K and stored in the storage unit 123b-K.

[Processing of Distributed Data Conversion Apparatus 440-η (η∈ {K + 1,..., N}) (FIG. 15C)]
Distributed data converter 440-η (η∈ {K + 1, ..., N}) is converted variance value generator 446-eta (Figure _{10), n r (μ)} (μ = 1, ... , (F _r (n _r corresponding to η) (η) K) different from _{n r) (η∈ {K +} 1, ..., n}, r = 1, ..., R) to generate a , F _r (n _r (η)) (η∈ {K + 1, ..., N}, r = 1, ..., R) is transformed into the transformation variance S _η (α _r ) = F _r ( n _r (η)) (r = 1, ..., R) However, F _r (x) has a variance value T _λ (α _r ) (λ∈ {1, ..., N}) corresponding to K different λ∈ {1, ..., N}. F _r (n _r (k)) = P (z (r, v (k))) (r = 1, .. obtained from v (k) restored from V _{k, λ} (v (k)) containing .., R, k = 1, ..., K-1) and U _r included in variance values T _λ (α _r ) corresponding to K different λ∈ {1, ..., N} _{, λ} (f _r (n _r (K))) and the transformed variance f _r (n _r (K)) (r = 1, ..., R), f _r (n _r ( μ)) (μ = 1, ..., K), K satisfying F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K) -Linear equation.

As described in the third embodiment, the method for generating F _r (n _r (η)) is not limited. However, from the viewpoint of security, f _r (n _r (μ)) (μ = 1,..., K, r = 1,..., R) is known to the distributed data converter 440-η. However, it is desirable that the distributed data converter 440-η can generate the converted dispersion value S _η (α _r ) = F _r (n _r (η)). In the following, the distributed data converter 440-η does not restore f _r (n _r (μ)) (μ = 1,..., K, r = 1,. A method for generating S _η (α _r ) = F _r (n _r (η)) will be exemplified.

Distributed data converter 440-η (η∈ {K + 1, ..., N}) is converted variance value generator 446-eta (Figure _{10), Rnd r, η,} 1 + ... + Rnd r, η _, Rnd _r of the _{K = 0, η, 1,} ..., Rnd r, η, randomly selected _K from a predetermined range, and inputs them to the output unit 142-eta. The output unit 142-η outputs Rnd _{r, η, 1} ,..., Rnd _{r, η, K} (step S441-η). The output Rnd _{r, η, κ} (κ∈ {1,..., K−1}, r = 1,. 9A), input to the input unit 141-κ of the distributed data converter 440-κ, and stored in the storage unit 143b-κ. The output Rnd _{r, η, κ} (κ∈ {1,..., K−1}, r = 1,. 9B), input to the input unit 141-K of the distributed data converter 440-K, and stored in the storage unit 143b-K.

Q_r,κ,ηは出力部１４２−κから出力され、ネットワーク等を経由して分散データ変換装置４４０−ηに提供される。 The transformed dispersion value generation unit 446-κ of the distributed data conversion device 440-κ (κε {1,..., K-1}) is Q _{r, κ, η} = f _r (n _r (κ)) · L _{r, κ} (η) + Rnd _{r, κ} (Rnd _{r, κ} = Rnd _{r, 1, κ} + ... + Rnd _{r, K, κ} , η∈ {K + 1, ..., N}) And outputs the obtained Q _{r, κ, η} . However, f _r (n _r (κ)) = P (z (r, v (κ))), and L _{r, κ} (η) satisfies the following.

Q _{r, κ, η} is output from the output unit 142-κ and provided to the distributed data conversion device 440-η via a network or the like.

Q_r,K,ηは出力部１４２−Ｋから出力され、ネットワーク等を経由して分散データ変換装置４４０−ηに提供される。 Similarly, the conversion variance value generation unit 446-K of the distributed data conversion device 440-K includes Q _{r, K, η} = _fr, (n _r, (K)) · L _{r, K} (η) + Rnd _{r , K} (Rnd _{r, K} = Rnd _{r, 1, K} + ... + Rnd _{r, K, K} , η∈ {K + 1, ..., N}) and Q _r, Output _{K and η} . However, L _{r, K} (η) satisfies the following.

Q _{r, K, η} is output from the output unit 142-K and provided to the distributed data conversion device 440-η via a network or the like.

Q _{r, 1, η} , ..., Q _{r, K, η} are input units 141-- of the distributed data converter 440-η (ηε {K + 1, ..., N}) (FIG. 10). is input to η and stored in the storage unit 143b-η (step S442-η). The conversion variance value generation unit 446-η generates the conversion variance value S _η (α _r ) = F _r (n _r (η)) as follows, and outputs the generated conversion variance value S _η (α _r ). (Step S443-η).

The transformed variance value S _η (α _r ) is input to the output unit 142-η, and the output unit 142-η outputs the transformed variance value S _η (α _r ) (step S444-η). The transformed variance value S _η (α _r ) is transmitted to the corresponding data storage device 420-η (ηε {K + 1,..., N}) (FIG. 7B) via a network or the like. The transformed variance value S _η (α _r ) is input to the input unit 121-η of the data storage device 420-η and stored in the storage unit 123b-η.

<Distributed value provision / secret calculation>
Similar to the second embodiment, the data storage devices 420-λ (FIG. 7B) corresponding to K different λ∈ {1,..., N} are distributed values T stored in the storage unit 123b-λ. _λ (α _r ) (r = 1,..., R) is output, or the secret calculation unit 427-λ performs secret calculation and a variance value E _{λ, r} (r = 1, ..., R) is output. These are sent to the data restoration device 430 via a network or the like.
<Data restoration processing>
As illustrated in FIG. 16, the input unit 131 of the data restoration device 430 (FIG. 8) has a variance value T _λ (α _r ) corresponding to K different λ∈ {1,. Alternatively, the variance value E _{λ, r} is input (step S431). The controller 134 determines whether K variance values T _λ (α _r ) or K variance values E _{λ, r} have been input (step S432).

When it is determined in step S432 that variance values T _λ (α _r ) (r = 1,..., R) corresponding to K different λ∈ {1,. These dispersion values T _λ (α _r ) (r = 1,..., R) are input to the conversion unit 435. For each of r (r = 1,..., R), the transform unit 435 uses K dispersion values T _λ (α _r corresponding to K different λ∈ {1,..., N}. ) To obtain values f _r (n _r (μ)) (μ = 1, ..., K) corresponding to K different n _r (μ) (μ = 1, ..., K). . First, the internal restoration unit 435a of the conversion unit 435 performs a variance value T corresponding to K different λ∈ {1,..., N} for each of r (r = 1,..., R). Restore the values f _r (n _r (K)) (r = 1, ..., R) and v (k) (k = 1, ..., K-1) from _λ (α _r ), Output the values f _r (n _r (K)) (r = 1, ..., R) and v (k) (k = 1, ..., K-1). A specific example of this process is as described in step S442-κ and step S442-K.

The values f _r (n _r (K)) (r = 1,..., R) and v (k) (k = 1,..., K−1) are input to the coordinate restoration unit 435b. The coordinate restoration unit 435b performs v (k) (k = 1, ..., K-1) to P (z (r, v (k)) for each of r (r = 1, ..., R). )) Calculate (k = 1,..., K-1), and let them be f _r (n _r (k)) = P (z (r, v (k))). The coordinate restoration unit 435b receives the input value f _r (n _r (K)) (r = 1,..., R) and f _r (n _r (k)) (k = 1, ..., K-1, r = 1, ..., R) f _r (n _r (μ)) (μ = 1, ..., K, r = 1, ..., R ) Is output (step S434).

The values f _r (n _r (μ)) (μ = 1,..., K, r = 1,..., R) are input to the restoration unit 436. For each of r (r = 1, ..., R), the restoration unit 436 uses these values f _r (n _r (μ)) (μ = 1, ..., K, r = 1,... ., F against _{R) r (n r (μ} ) _{in) = f r (n r (} μ)) (μ = 1, ..., satisfy K) K-1 linear equation F _r (x) A function value F _r (n _r (0)) = α _r is generated, and a value α _r obtained thereby is output (step S435). A specific example of this process is as described in step S234.

The values α _r (r = 0,..., R−1) are input to the coupling unit 237. The combining unit 237 combines the R values α _r (r = 0,..., R−1) to generate a value αεG, and outputs the value α (step S235). The value α is input to and output from the output unit 132 (step S135).

On the other hand, when it is determined in step S232 that the variance value E _{λ, r} has been input, the restoration unit 436 performs the processing of steps S236, S237, and S137 described in the second embodiment.

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. Further, by diverting the same value v (k) to secret sharing of a plurality of values α _r (r = 0,..., R−1), the data amount of the distributed value can be further reduced. Further, the distributed data conversion processing in the distributed data conversion device can be used to obtain a converted distributed value that can be used as an input for the secret calculation without restoring the original value α _r from the distributed value obtained by the data distribution device. It can also generate and perform secret computations.

In this embodiment, the variance value generation unit 417 has N variance values T _i (α _r ) = (V _{r, 1, i} (v (1)),..., V _{r, K−1. i} (v (K-1)), U _{r, i} (f _r (n _r (K)))) (i = 1, ..., N, r = 1, ..., R) It was decided. However, the variance generator is [n _r (1), ..., n _r (K), T _i (α _r )] (i = 1, ..., N, r = 1, ..., R) may be output. The distributed data converter generates and outputs [n _r (i), S _i (α _r )], and the data restoration device outputs any K [n _r (1), ..., n _r (K ), T _λ (α _r )] (λ∈ {1,..., N}), the value α _r may be restored. In addition, the dispersion value generation unit 417 may output other additional information as the dispersion value in addition to T _i (α _r ).

[Fifth Embodiment]
This embodiment is a modification of the first embodiment. Below, it demonstrates centering on difference with 1st Embodiment. The same reference numerals as those in the above-described embodiment are used for processing units and steps that are the same as those in the above-described embodiment, and the description will be simplified.
In the fifth embodiment, N and K are integers of 2 or more, K ≦ N, G is a certain set, and P (x) is a mapping that moves a value corresponding to x to an element of the set G is there. Specific examples of the set G and mapping P (x) in the present embodiment are the same as the specific examples of the set G and mapping P (x) described in the first embodiment. K = N may be sufficient and K <N may be sufficient.

The secret sharing system according to the first embodiment includes a data sharing device, a data restoration device, and N data storage devices.
The data distribution apparatus of this embodiment selects K-1 values v (k) (k = 1, ..., K-1) and N distribution values T _k (α) = v (k) (k = 1, ..., K-1), T _θ (α) = f (n (θ)) (θ = K, ..., N) is obtained. Where f (x) is an element of the set G with respect to the value α∈G, f (n (k)) = v (k) (k = 1, ..., K-1) and f (n (0) ) = α. n (0), n (1), ..., n (N) are different from each other. N distribution values T _i (α) (i = 1,..., N) obtained by the data distribution device are provided and stored in each of the N data storage devices, for example.

The data restoration apparatus according to the present embodiment applies K values f (n (λ)) obtained from variance values T _λ (α) corresponding to K different λ∈ {1, ..., N}. F (n (λ)) = f (n (λ)) (λ∈ {1, ..., N}) satisfying the function value F (n (0)) = α is obtained.

Preferably, in this embodiment, the total data amount of values v (k) (k = 1,..., K−1) is smaller than the total data amount of K−1 elements of the set G. Preferably, in this embodiment, the data amount of any value v (k) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 17, the secret sharing system 5 according to the fifth embodiment includes a data sharing device 510, N data storage devices 520-i (i = 1,..., N), and a data restoration device 530. Have The data distribution device 510 can exchange information with the N data storage devices 520-i (i = 1,..., N) via a network or a portable recording medium.

  As illustrated in FIG. 18A, the data distribution apparatus 510 of this embodiment includes an input unit 111, an output unit 112, a memory 113, a control unit 114, a selection unit 115, and a distributed value generation unit 517. The data distribution apparatus 510 according to this embodiment executes each process under the control of the control unit 514.

  As illustrated in FIG. 18B, the data storage device 520-λ (λε {1,..., N}) includes an input unit 121-λ, an output unit 122-λ, memories 123a-λ, and a storage unit 123b-. λ and a control unit 524-λ. The data storage device 520-λ of this embodiment executes each process under the control of the control unit 524-λ.

  As illustrated in FIG. 18C, the data restoration device 530 of this embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 534, and a restoration unit 536. The data restoration device 530 of this embodiment executes each process under the control of the control unit 534.

<Data distribution processing>
As illustrated in FIG. 19A, the value αεG that is secretly shared is input to the input unit 111 of the data distribution device 510 (FIG. 18A) (step S111). The data amount of the value α, that is, the data amount of the elements of the set G is, for example, 1 megabyte or more. The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112). It is desirable that the value v (k) has a size such that v (k) is not specified by an attack such as exhaustive search from a certain function value FNC (v (k)). For example, the value v (k) is preferably a random number of about 80 bits or more.

The value α input to the input unit 111 and the K−1 values v (k) (k = 1,..., K−1) output from the selection unit 115 are input to the variance value generation unit 517. The The variance value generation unit 517 uses these to generate N variance values T _k (α) = v (k) (k = 1,..., K−1), T _θ (α) = f (n ( θ)) (θ = K,..., N) is generated, and N dispersion values T _i (α) (i = 1,..., N) are output. Where f (x) is f (n (k)) = v (k) (k) for the values n (1), ..., n (K-1) and the value α∈G that is an element of the set G. = 1,..., K−1) and f (n (0)) = α. n (0), n (1),..., n (N) are different from each other (step S514). Examples of n (0), n (1),..., n (N) are the same as those in the first embodiment. For example, n (0) = 0, n (i) = i (i = 1, ..., N)).

N variance values T _i (α) (i = 1,..., N) are input to the output unit 112, and the output unit 112 outputs N variance values T _i (α) (i = 1,... ., N) is output (step S515). Each of the output T _i (α) (i = 1,..., N) is provided to each of the data storage devices 520-i (i = 1,..., N). For example, the dispersion value T _λ (α) (λε {1,..., N}) is transmitted to the corresponding data storage device 520-λ (FIG. 18B) via a network or the like. The dispersion value T _λ (α) provided to the data storage device 520-λ is input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Data restoration processing>
As illustrated in FIG. 19B, the input unit 131 of the data restoration device 530 (FIG. 18C) has K variance values T _λ (corresponding to K different λ∈ {1,..., N}. α) is input (step S531). These variance values T _λ (α) are input to the restoration unit 536, and the restoration unit 536 applies F (n (λ)) to K values f (n (λ)) obtained from these variance values T _λ (α). The function value F (n (0)) = α of the K-1 degree expression F (x) that satisfies n (λ)) = f (n (λ)) (λ∈ {1, ..., N}) And the value α obtained thereby is output (step S532). As described above, f (n (k)) = T _k (α) = v (k) (k = 1, ..., K-1) and T _θ (α) = f (n (θ)) (θ = K, ..., N). An example of a method for calculating the function value F (n (0)) = α is a method using the Lagrange interpolation method described in the first embodiment (formula (1)). The value α is input to and output from the output unit 132 (step S533).

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. That is, of the N dispersion values T _i (α) (i = 1, ..., N) of the present embodiment, K-1 dispersion values T _k (α) (k = 1, ..., K−1) is the variance value T _k (α) = v (k) (k = 1,..., K−1). On the other hand, the data amount of the distributed value obtained by secretly sharing the value αεG according to the Shamir secret sharing scheme is equal to or larger than the data amount of the elements (one element) of the set G. Therefore, the data amount of each variance value T _k (α) = v (k) is smaller than the variance value obtained by secretly sharing the value α∈G according to the Shamir secret sharing scheme. How much the data amount of the variance value can be reduced depends on the difference between the data amount of v (k) and the data amount of elements of the set G. For example, if the total data amount of values v (k) (k = 1, ..., K-1) is smaller than the total data amount of K-1 elements of the set G, the variance of this embodiment The total data amount of the value is smaller than the total data amount of the distributed value of the conventional secret sharing scheme. The total data amount of the value v (k) (k = 1, ..., K-1) is smaller than the total data amount of the K-1 elements of the set G, for example, the value v (k) Or the case where the data amount of each element of the set G is smaller than the data amount of the elements of the set G.

If the amount of data for each value v (k) is negligibly small relative to the amount of data in the elements of set G, N variance values T _i (α) (i = 1, ..., N) Among them, the data amount of K-1 variance values T _k (α) = v (k) (k = 1, ..., K-1) can be ignored, and N variance values T _i (α) ( The total data amount of i = 1,..., N) is approximately the same as the total data amount of (N−K + 1) elements of the set G. Therefore, the total data amount of the distributed values in this embodiment is about (N−K + 1) / N times the total data amount of the distributed values in the Shamir secret sharing scheme. Since N ≧ K, the total data amount of the distributed values in this embodiment is smaller than the total data amount of the distributed values in the Shamir secret sharing scheme. This data amount reduction effect directly affects the amount of data transmitted from the data distribution device to the data storage device and the amount of data stored in the data storage device. In this case, considering the received data amount of the data restoring device, in this embodiment, the received data amount when the data restoring device receives T ₁ (α),..., T _K-1 (α) is minimized. If another received data is T _K (α), the received data amount of the data restoration device can be regarded as being the same as the data amount of one element of the set G. On the other hand, in the Shamir secret sharing scheme, the data restoration device receives K different f (i). Therefore, the received data amount of the data restoration device of this embodiment can be regarded as approximately 1 / K times the received data amount in the Shamir secret sharing scheme, and it can be seen that the data amount is reduced.

In addition, the variance value T _i (α) (i = 1,..., N) of the present embodiment is used as an input value of a secret calculation based on Shamir secret sharing (for example, see Non-Patent Document 2). It can also be executed.

In this embodiment, the variance value generation unit 517 has N variance values T _i (α) (i = 1,..., K), T _θ (α) = f (n (θ)) (θ = K, ..., N). However, the variance value generation unit is [n (k), T _k (α) = v (k)] (k = 1, ..., K-1), [n (θ), T _θ (α) = f (n (θ))] (θ = K, ..., N) may be output. In this case, the data restoration device is [n (k), T _k (α)] (k = 1, ..., K-1), [n (θ), T _θ (α)] (θ = K, .., N) may be restored from any K [n (λ), T _λ (α)] (λ∈ {1,..., N}).

Alternatively, the variance value generation unit may calculate [k, n (k), T _k (α) = v (k)] (k = 1, ..., K-1), [θ, n (θ), T _θ (α) = f (n (θ))] (θ = K,..., N) may be output. In this case, the data restoration device is [k, n (k), T _k (α)] (k = 1, ..., K-1), [θ, n (θ), T _θ (α)] ( Reconstruct the value α from any K [θ, n (λ), T _λ (α)] (λ∈ {1, ..., N}) of θ = K, ..., N) Also good.

Alternatively, the variance value generation unit [k, T _k (α) = v (k)] (k = 1, ..., K-1), [θ, T _θ (α) = f (n (θ ))] (θ = K, ..., N) may be output. In this case, the data restoration device is [k, T _k (α)] (k = 1, ..., K-1), [θ, T _θ (α)] (θ = K, ..., N) The value α may be restored from any K [λ T _λ (α)] (λ∈ {1,..., N}). In addition, the dispersion value generation unit 117 may output other additional information as a dispersion value in addition to T _i (α).

The data amount of i, n (i) (i = 1,..., N) is smaller than the data amount of the elements of the set G. Preferably, the data amount of i, n (i) (i = 1,..., N) is negligible with respect to the data amount of the elements of the set G (for example, (i, n (i) Respective data amount) / (data amount of elements of set G) ≦ 80/10 ⁶ ).

[Sixth Embodiment]
Next, a sixth embodiment of the present invention will be described. This embodiment is a modification of the second and fifth embodiments, and the data value of the distributed value is further reduced by diverting the same value v (k) to a plurality of secret shares. Below, it demonstrates centering on difference with the above-mentioned embodiment. The same reference numerals as those in the above-described embodiment are used for processing units and steps that are the same as those in the above-described embodiment, and the description will be simplified.
In the sixth embodiment, N, K, and R are integers of 2 or more, K ≦ N, and G is a certain set. A specific example of the set G of the present embodiment is the same as the specific example of the set G described in the first embodiment. K = N may be sufficient and K <N may be sufficient.

The secret sharing system according to the sixth embodiment includes a data sharing device, a data restoration device, N data storage devices, and K-1 distributed data conversion devices.
The data distribution apparatus of this embodiment selects K−1 values v (k) (k = 1,..., K−1), and sets values corresponding to r and value v (k) to z ( r, v (k)), and K-1 values for each r a _r (k) = z (r, v (k)) (r = 1, ..., R, k = 1 , ..., K-1), and for each of k (k = 1, ..., K-1), R T _k (α ₁ ), ..., T _k (α _R ) At least one is v (k), T _θ (α _r ) = f _r (n _r (θ)) (θ = K,..., N), and N variance values T _i for each of r Get (α _r ) (i = 1, ..., N, r = 1, ..., R). Where f _r (x) is f _r (n _r (k)) for the values n _r (1), ..., n _r (K-1) and the value α _r ∈G that is an element of the set G. _{= a r (k) (k} = 1, ..., K-1) and _{f r (n r (0)} ) = a K-1 order equation that satisfies alpha _r. The values n _r (0), n _r (1),..., N _r (N) corresponding to the same r are different from each other.

The data restoration apparatus according to the present embodiment is configured such that for each of r (r = 1,..., R), K dispersion values T _λ corresponding to K different λ∈ {1,. From (α _r ), values f _r (n _r (λ)) corresponding to K different values n _r (λ) (λ∈ {1, ..., N}) are obtained, and r (r = 1, ..., R) for each value f _r (n _r (λ)), F _r (n _r (λ)) = f _r (n _r (λ)) (λ∈ {1 ,..., N}), a function value F _r (n _r (0)) = α _r of the K−1 linear expression F _r (x) is obtained. For example, the data restoration apparatus according to the present embodiment includes k variance values T _λ (α _r ) corresponding to K different λ∈ {1,..., N} to v (κ) (κ∈ {1 , ..., K-1}), let f _r (n _r (κ)) = z (r, v (κ)) (r = 1, ..., R).

Each of the distributed data converters has a distributed value T _κ (α _{r ′} ) = v (κ) (κ∈ {1, ..., K-1}, r′∈ {1, ..., R}) To obtain a transformed variance value S _κ (α _r ) = z (r, v (κ)). The transform variance value S _κ (α _r ) thus obtained is used as an input value for secret calculation.

Preferably, in this embodiment, the total data amount of values v (k) (k = 1,..., K−1) is smaller than the total data amount of K−1 elements of the set G. Preferably, in this embodiment, the data amount of any value v (k) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 1, the secret sharing system 6 of the sixth embodiment includes a data distribution device 210 and K−1 distributed data conversion devices 240-k (k = k =) included in the secret distribution system 2 of the second embodiment. 1,..., K-1) and the data restoration device 230 include a data distribution device 610, K-1 distributed data conversion devices 640-k (k = 1,..., K-1) and data restoration. Each is replaced with a device 630.

  As illustrated in FIG. 18A, the data distribution apparatus 610 according to the present exemplary embodiment includes an input unit 111, a division unit 211, an output unit 112, a memory 113, a control unit 614, a selection unit 115, and a distributed value generation unit 617. The data distribution apparatus 610 according to the present embodiment executes each process under the control of the control unit 614.

  As illustrated in FIG. 18A, the data restoration device 630 of this embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 634, a restoration unit 636, and a combining unit 637. The data restoration device 630 according to the present embodiment executes each process under the control of the control unit 634.

  As illustrated in FIG. 20, the distributed data conversion apparatus 640-κ (κε {1,..., K-1}) of this embodiment includes an input unit 141-κ, an output unit 142-κ, and a memory 143a-. κ, storage unit 143b-κ, control unit 244-κ, and transform variance value generation unit 646-κ. The distributed data conversion apparatus 640-κ according to this embodiment executes each process under the control of the control unit 644-κ.

<Data distribution processing>
As illustrated in FIG. 21A, a secret value α is input to the input unit 111 of the data distribution device 610 (FIG. 18A) (step S111). The value α is input to the dividing unit 211. Dividing unit 211, R number of values alpha _r ∈G value alpha is an element of the set G (r = 1, ..., R) is divided into, R number of values α _{r (r} = 1, .. ., R) is output (step S211). The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112).

R values α _r (r = 1,..., R) output from the dividing unit 211 and K−1 values v (k) (k = 1,...) Output from the selection unit 115. , K−1) is input to the variance value generation unit 617. The variance value generation unit 617 uses at least one of _R T _k (α ₁ ),..., T _k (α _R ) for each of k (k = 1,..., K−1) as v. (k), T _θ (α _r ) = f _r (n _r (θ)) (θ = K, ..., N), and N dispersion values T _i (α _r ) ( i = 1, ..., N, r = 1, ..., R). Where f _r (x) is f _r (n _r (k)) for the values n _r (1), ..., n _r (K-1) and the value α _r ∈G that is an element of the set G. = z (r, v (k )) (k = 1, ..., K-1) and _{f r (n r (0)} ) = a K-1 order equation that satisfies alpha _r. The values n _r (0), n _r (1),..., N _r (N) corresponding to the same r are different from each other (step S614).

R × N variance values T _i (α _r ) (i = 1, ..., N, r = 1, ..., R) are input to the output unit 112, and the output unit 112 has N variances. The values T _i (α _r ) (i = 1,..., N, r = 1,..., R) are output (step S615). Each of the output variance values T _i (α _r ) (i = 1,..., N, r = 1,..., R) corresponds to the data storage device 220-i (i = 1,. ), N). The dispersion values T _λ (α _r ) (r = 1,..., R) provided to the data storage device 220-λ are input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Distributed data conversion processing>
A distributed data conversion process executed by the distributed data conversion device 640-κ (κε {1,..., K-1}) will be described with reference to FIG.
Variance value T _κ (α _r ) (r = 1,..., R) stored in the storage unit 123b-κ of the data storage device 640-κ (κε {1,..., K−1}). Is sent to the output unit 122-κ, and the output unit 122-κ outputs the dispersion value T _κ (α _r ) (r = 1,..., R). The output distributed value T _κ (α _r ) (r = 1,..., R) is transmitted to the corresponding distributed data conversion device 640-κ (κ∈ {1,. K-1}) (FIG. 20). The distributed values T _κ (α _r ) (r = 1,..., R) provided to the distributed data converter 640-κ are input to the input unit 141-κ and stored in the storage unit 143b-κ ( Step S641-κ).

The transformed variance value generation unit 646-κ is a variance value T _κ (α _{r ′} ) = v (κ) (κ∈ {1,..., K−) that is v (κ) read from the storage unit 143b-κ. 1}, r′∈ {1, ..., R}) to generate a transformed variance value S _κ (α _r ) = z (r, v (κ)), and the transformed variance value S _κ (α _r ) Is output (step S642-κ). The output transform variance value S _κ (α _r ) (r = 1, ..., R) is sent to the corresponding data storage device 220-κ (r = 1, ..., R) via a network or the like. ) (FIG. 2B). The transformed variance value S _κ (α _r ) (r = 1,..., R) is input to the input unit 121-κ of the corresponding data storage device 220-κ and stored in the storage unit 123b-κ.

<Data restoration processing>
As illustrated in FIG. 21C, the input unit 131 of the data restoration device 630 (FIG. 18A) has a variance value T _λ (α _r ) corresponding to K different λ∈ {1,..., N}. (r = 1,..., R) or variance Eλ _{, r} (r = 1,..., R) is input (step S631). The control unit 634 determines whether the variance value T _λ (α) is input or the variance value E _λ is input (step S632).

If it is determined in step S 632 that the variance value T _λ (α _r ) has been input, these K × R variance values T _λ (α _r ) are input to the restoration unit 636. For each of r (r = 1,..., R), the restoration unit 636 uses K dispersion values T _λ (α _r corresponding to K different λ∈ {1,..., N}. ), K values f _r (n _r (λ)) corresponding to K different values n _r (λ) (λ∈ {1,..., N}) are obtained. At this time, the restoration unit 636 applies v (κ) (κ∈ {1,...) To K dispersion values T _λ (α _r ) corresponding to K different λ∈ {1,. .., K-1}) is included, it is assumed that f _r (n _r (κ)) = z (r, v (κ)) (r = 1,..., R) (step S633). The restoration unit 636 performs F _r (n _r (λ)) = f _r (n _r (λ)) (λ∈ {1,..., For K values f _r (n _r (λ)). N}) to generate a function value F _r (n _r (0)) = α _r of the K-1 linear expression F _r (x), and output the value α _r (r = 1, ..., R) (Step S634). In order to generate the function value F _r (n _r (0)) = α _r , for example, a Lagrange interpolation method or the like is used (formula (2)). The values α _r (r = 0,..., R−1) are input to the coupling unit 237. The combining unit 237 combines the R values α _r (r = 0,..., R−1) to generate a value αεG, and outputs the value α (step S235). The value α is input to and output from the output unit 132 (step S135). On the other hand, if it is determined in step S632 that the variance E _{λ, r} has been input, the processes of steps S236, S237, and S137 described in the second embodiment are executed.

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. The distributed data conversion process in the distributed data conversion device generates a converted distributed value that can be used as an input for the secret calculation without restoring the original value α _r from the distributed value obtained by the data distribution device. Secret calculations can also be performed. Similarly to the second embodiment, the variance value generation unit may output n _r (i), i, r, and other additional information as variance values in addition to T _i (α).
[Seventh Embodiment]
Next, a seventh embodiment of the present invention will be described. The present embodiment is a modification of the third and fifth embodiments, and further secretly distributes the elements included in the distribution values of the fifth embodiment to further reduce the data amount. Below, it demonstrates centering on difference with the above-mentioned embodiment. The same reference numerals as those in the above-described embodiment are used for processing units and steps that are the same as those in the above-described embodiment, and the description will be simplified.
In the seventh embodiment, N and K are integers of 2 or more, K ≦ N, and G is a certain set. A specific example of the set G of the present embodiment is the same as the specific example described in the first embodiment. K = N may be sufficient and K <N may be sufficient.

The secret sharing system according to the seventh embodiment includes a data distribution device, a data restoration device, N data storage devices, and N distributed data conversion devices.
The data distribution apparatus of this embodiment selects K−1 values v (k) (k = 1,..., K−1) and obtains a value f (n (K)). Where f (x) is f (n (k)) = v (k) (value n (1), ..., n (K-1) and value α∈G which is an element of the set G. A K−1 order expression satisfying k = 1,..., K−1) and f (n (0)) = α is f (x). n (0), n (1), ..., n (K) are different from each other. The data distribution apparatus secretly distributes v (k) (k = 1, ..., K-1) according to the (K, N) threshold secret distribution method V _{k and} N distributed values V for each k. _{k, i} (v (k)) (i = 1, ..., N) is obtained, and the value f (n (K)) is secretly distributed according to the (K, N) threshold secret sharing method U. Variance value U _i (f (n (K))) (i = 1, ..., N) and N variance values T _i (α) = (V _{1, i} (v (1)) , ..., V _{K-1, i} (v (K-1)), U _i (f (n (K)))) (i = 1, ..., N). Specific examples of the (K, N) threshold secret sharing method V _k and the (K, N) threshold secret sharing method U are as described in the third embodiment.

The data restoration apparatus according to the present embodiment uses K different n (μ) (μ) from K variance values T _λ (α) corresponding to K different λ∈ {1,. K values f (n (μ)) (μ = 1, ..., K) corresponding to = 1, ..., K) are obtained. For example, the data restoration apparatus may _calculate values f (n (K)) and v (k) from K variance values T _λ (α) corresponding to K different λ∈ {1, ..., N}. ) (k = 1, ..., K-1) is restored and f (n (k)) = v (k) (k = 1, ..., K-1) K values f (n (μ)) (μ = 1,..., K) corresponding to n (μ) (μ = 1,..., K) are obtained. The data restoration device uses a function value F (n (0) of the K-1 degree expression F (x) that satisfies F (n (μ)) = f (n (μ)) )) = α is obtained.

The first,..., K−1th distributed data conversion apparatus of the present embodiment has K distributed values T _λ (α) (corresponding to K different λ∈ {1,. v (κ) (κ∈ {1, ..., K-1}) is restored from V _{κ, λ} (v (κ)) included in λ∈ {1, ..., N}), and v The transformation dispersion value P (v (κ)) (κ∈ {1,..., K−1}) is obtained from (κ). The K-th distributed data conversion apparatus according to the present embodiment includes K U _λ (f included in K distributed values T _λ (α) corresponding to K different λ∈ {1,. From (n (K))), a transform variance value f (n (K)) is obtained. The K + 1, ..., Nth distributed data converter of this embodiment is F (n (η) corresponding to n (η) different from n (μ) (μ = 1, ..., K). ) (η∈ {K + 1, ..., N}). Where F (x) is obtained from v (k) restored from K V _{k, λ} (v (k)) corresponding to K different λ∈ {1, ..., N}. F (n (k)) = v (k) (k = 1, ..., K-1) and K corresponding to K different λ∈ {1, ..., N} U ( _λ (f (n (K))) and f (n (K)) restored from f (n (μ)) (μ = 1, ..., K) and F (n (μ)) = f (n (μ)) (K−1 order equation satisfying (μ = 1,..., K)). The transform variance value obtained in this way is used as an input value for secret calculation.

Preferably, in this embodiment, the total data amount of values v (k) (k = 1,..., K−1) is smaller than the total data amount of K−1 elements of the set G. Preferably, in this embodiment, the data amount of any value v (k) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 6, the secret sharing system 7 of the seventh embodiment includes a data distribution device 310 of the secret sharing system 3 of the third embodiment and N distributed data conversion devices 340-i (i = 1,. .., N) and the data restoration device 330 are replaced with a data distribution device 710, N distributed data conversion devices 740-i (i = 1,..., N) and a data restoration device 730, respectively. is there.

  As illustrated in FIG. 22, the data distribution apparatus 710 of this embodiment includes an input unit 111, an output unit 112, a memory 113, a control unit 714, a selection unit 115, internal distribution units 318 and 719, and a distributed value generation unit 717. Have. The data distribution apparatus 710 of this embodiment executes each process under the control of the control unit 714.

  As illustrated in FIG. 8, the data restoration device 730 of this embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 734, a conversion unit 735, and a restoration unit 736. The conversion unit 735 includes internal restoration units 735a and 735b. The data restoration device 730 of this embodiment executes each process under the control of the control unit 734.

  As illustrated in FIG. 9A, the distributed data conversion apparatus 740-κ (κε {1,..., K-1}) of this embodiment includes an input unit 141-κ, an output unit 142-κ, and a memory 143a-. κ, storage unit 143b-κ, control unit 344-κ, internal restoration unit 745-κ, and transform variance value generation unit 746-κ. As illustrated in FIG. 9B, the distributed data conversion apparatus 740-K according to the present embodiment includes an input unit 141-K, an output unit 142-K, a memory 143a-K, a storage unit 143b-K, a control unit 744-K, and A conversion variance value generation unit 746-K is included. As illustrated in FIG. 10, the distributed data conversion apparatus 740-η (ηε {K + 1,..., N}) according to this embodiment includes an input unit 141-η, an output unit 142-η, and a memory 143a-. η, a storage unit 143b-η, a control unit 744-η, and a conversion variance value generation unit 746-η. The distributed data conversion apparatus 340-λ according to this embodiment executes each process under the control of the control unit 340-λ.

<Data distribution processing>
As illustrated in FIG. 23, a secret value αεG is input to the input unit 111 of the data distribution device 710 (FIG. 22) (step S111). The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112).

  The value α input to the input unit 111 and the K−1 values v (k) (k = 1,..., K−1) output from the selection unit 115 are input to the calculation unit 716. The calculation unit 716 generates a value f (n (K)) using these, and outputs the obtained value f (n (K)). Where f (x) is f (n (k)) = v (k) (k) for the values n (1), ..., n (K-1) and the value α∈G that is an element of the set G. = 1,..., K−1) and f (n (0)) = α. n (0), n (1),..., n (K) are different from each other (step S714).

The K−1 values v (k) (k = 1,..., K−1) output from the selection unit 115 are input to the internal distribution unit 318 and the value f (n) output from the calculation unit 716. (K)) is input to the internal distribution unit 719. The internal distribution unit 318 performs secret sharing for each of v (k) (k = 1,..., K−1) according to the (K, N) threshold secret sharing method V _k , Generate variance value V _{k, i} (v (k)) (i = 1, ..., N) and distribute value V _{k, i} (v (k)) (i = 1, ..., N, k = 1,..., K-1) are output (step S715). The internal distribution unit 719 secretly distributes the value f (n (K)) according to the (K, N) threshold value secret distribution method U, and N distributed values U _i (f (n (K))) (i = 1,..., N) is generated, and the variance value U _i (f (n (K))) (i = 1,..., N) is output (step S716). The internal dispersion unit 319 generates dispersion values U _i (f (n (K))) (i = 1,..., N) according to the method described in Reference Document 1, for example ([(K, N) See examples 1 and 2 of threshold secret sharing method U).

Variance V _{k, i} (v (k)) (i = 1, ..., N, k = 1, ..., K-1) and variance U _i (f (n (K))) (i = 1,..., N) is input to the variance value generation unit 717. The variance value generation unit 717 uses these to generate N variance values T _i (α) = (V _{1, i} (v (1)), ..., V _{K−1, i} (v (K−1) )), U _i (f (n (K)))) (i = 1, ..., N) and outputs variance T _i (α) (i = 1, ..., N) (Step S717).

N variance values T _i (α) (i = 0,..., N−1) are input to the output unit 112, and the output unit 112 outputs N variance values T _i (α) (i = 0, ..., N-1) are output (step S718). Each of the output variance values T _i (α) (i = 0,..., N−1) is provided to each of the data storage devices 320-i (i = 1,..., N). . The dispersion value T _λ (α) provided to the data storage device 320-λ is input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Distributed data conversion processing>
A distributed data conversion process executed by the distributed data conversion device 740-λ (λε {1,..., N}) will be described with reference to FIGS. 24A, 12B, and 12C.
[Processing of Distributed Data Conversion Device 340-κ (κε {1,..., K-1}) (FIG. 24A)]
The distribution stored in the storage unit 123b-λ from the output unit 122-λ of the K data storage devices 320-λ (FIG. 7B) corresponding to K different λ∈ {1,..., N}. V _{κ, λ} (v (κ)) included in the value T _λ (α) is output. K V _{κ, λ} (v (κ)) corresponding to K different λ∈ {1,..., N} are distributed via the network or the like to the distributed data converter 340-κ (κ .Epsilon. {1,..., K-1}) (FIG. 9A) is input to the input unit 141-κ and stored in the storage unit 143b-κ (step S741-κ).

The internal restoration unit 745-κ stores K V _{κ, λ} (v (κ)) corresponding to K different λ∈ {1,..., N} stored in the storage unit 143b-κ. V (κ) is restored from the above and v (κ) obtained is output (step S742-κ). v (κ) is input to the transformed variance generation unit 746-κ. The transformed variance value generation unit 746-κ outputs the transformed variance value S _κ (α) = v (κ) (step S743-κ). The transformed variance value S _κ (α) is input to the output unit 142-κ, and the output unit 142-κ outputs the transformed variance value S _κ (α) (step S744-κ). The transformed variance value S _κ (α) is transmitted to the corresponding data storage device 320-κ (FIG. 7B) via a network or the like. The transformed variance value S _κ (α) is input to the input unit 121-κ of the data storage device 320-κ and stored in the storage unit 123b-κ.

[Processing of Distributed Data Conversion Device 740-K (FIG. 12B)]
As illustrated in FIG. 12B, the distributed data conversion apparatus 740-K performs the processes of steps S341-K, S342-K, and S343-K in which the converted dispersion value generation unit 346-K is converted into the conversion dispersion value generation unit 746-K. Run.

[Processing of Distributed Data Conversion Device 340-η (η∈ {K + 1,..., N})] (FIG. 12C)]
The transform variance value generation unit 746-η of the distributed data converter 340-η (η∈ {K + 1,..., N}) (FIG. 10) has n (1),. F (n (η)) corresponding to n (η) different from the above is generated, and F (n (η)) is output as the transformed dispersion value S _η (α) = F (n (η)). Where F (x) is obtained from v (k) restored from K V _{k, λ} (v (k)) corresponding to K different λ∈ {1, ..., N}. F (n (k)) = v (k) (k = 1, ..., K-1) and K corresponding to K different λ∈ {1, ..., N} U ( _λ (f (n (K))) and f (n (K)) restored from f (n (μ)) (μ = 1, ..., K) and F (n (μ)) = f (n (μ)) (K−1 order equation satisfying (μ = 1,..., K)). For example, the processing in which “f (n (κ)) = P (v (κ))” in steps S341-η to S344-η described above is replaced with “f (n (κ)) = v (κ)”. The dispersion value S _η (α) = F (n (η)) is generated by (Steps S741-η to S744-η).

<Distributed value provision / secret calculation>
The data storage devices 320-λ (FIG. 7B) corresponding to K different λ∈ {1,..., N} output the variance value T _λ (α) stored in the storage unit 123b-λ. Alternatively, the secret calculation unit 327-λ performs secret calculation and outputs a variance value E _λ representing the result. These are sent to the data restoration device 730 via a network or the like.

<Data restoration processing>
As illustrated in FIG. 13, the input unit 131 of the data restoration device 730 (FIG. 8) has K variance values T _λ (corresponding to K different λ∈ {1,..., N}. α) or K dispersion values E _λ are input (step S731). The control unit 134 determines whether K variance values T _λ (α) have been input or K variance values E _λ have been input (step S732).

If it is determined in step S732 that K dispersion values T _λ (α) have been input, these K dispersion values T _λ (α) are input to the conversion unit 735. The converting unit 735 _calculates K different n (μ) (μ = 1, μ) from K variance values T _λ (α) corresponding to K different λ∈ {1,..., N}. ..., K) corresponding to K values f (n (μ)) (μ = 1, ..., K). First, the internal restoration unit 735a of the conversion unit 735 _calculates the value f (n) from the K variance values T _λ (α) corresponding to the input K different λ∈ {1,. (K)) and v (k) (k = 1, ..., K-1) and restore the values f (n (K)) and v (k) (k = 1, ..., K- 1) is output (step S733).

  The values f (n (K)) and v (k) (k = 1,..., K−1) are input to the coordinate restoration unit 735b. The coordinate restoration unit 735b sets f (n (k)) = v (k) (k = 1,..., K−1), and K values f including these values f (n (K)). (n (μ)) (μ = 1,..., K) is output (step S734).

  K values f (n (μ)) (μ = 1,..., K) are input to the restoration unit 736. The restoration unit 736 performs F (n (μ)) = f (n (μ)) (μ = 1 for these K values f (n (μ)) (μ = 1,..., K). ,..., K), the function value F (n (0)) = α of the K−1 linear expression F (x) is generated, and the value α obtained thereby is output (step S735). The value α is input to and output from the output unit 132 (step S135).

On the other hand, when it is determined in step S732 that the variance value E _λ has been input, the restoration unit 736 performs the processing of steps S136 and S137 described in the first embodiment.

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. Furthermore, the distributed data conversion process in the distributed data conversion device generates a converted distributed value that can be used as an input for the secret calculation without restoring the original value α from the distributed value obtained by the data distribution device. It is also possible to execute a secret calculation. Similarly to the third embodiment, in this embodiment, the variance value generation unit may output n (i), i and other additional information as variance values in addition to T _i (α).

[Eighth Embodiment]
Next, an eighth embodiment of the present invention will be described. This embodiment is a modification of the fourth and seventh embodiments, and the data value of the distributed value is further reduced by diverting the same value v (k) to a plurality of secret shares. Below, it demonstrates centering on difference with the above-mentioned embodiment. The same reference numerals as those in the above-described embodiment are used for processing units and steps that are the same as those in the above-described embodiment, and the description will be simplified.
In the seventh embodiment, N, K, and R are integers of 2 or more, K ≦ N, and G is a certain set. A specific example of the set G of the present embodiment is the same as the set G described in the first embodiment. K = N may be sufficient and K <N may be sufficient.

The secret sharing system of the eighth embodiment has a data sharing device, a data restoration device, N data storage devices, and N distributed data conversion devices.
The data distribution apparatus of this embodiment selects K−1 values v (k) (k = 1,..., K−1), and sets values corresponding to r and value v (k) to z ( r, v (k)) and the value f _r (n _r (K)) is obtained. However, the values n _r (0), n _r (1), ..., n _r (K) corresponding to the same r are different from each other, and the values n _r (1), ..., n _r (K- F _r (n _r (k)) = z (r, v (k)) (k = 1, ..., K-1) and f with respect to 1) and the value α _r ∈G which is an element of the set G _A K−1 order expression satisfying _r (n _r (0)) = α _r is f _r (x). The data distribution apparatus secretly distributes v (k) (k = 1, ..., K-1) according to the (K, N) threshold secret distribution method V _{k and} N distributed values V for each k. _{k, i} (v (k)) (i = 1, ..., N), and for each of _r , the value f _r (n _r (K) according to the (K, N) threshold secret sharing scheme U _r ) To obtain N distributed values U _{r, i} (f _r (n _r (K))) (i = 1, ..., N) and r (r = 1, ..., N variance values T _i (α _r ) = (V _{r, 1, i} (v (1)), ..., V _{r, K-1, i} (v (K-1)) for each of R) ), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N). However, at least _one of V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is the variance value V _{k, i} (v (k)) . An example of the (K, N) threshold secret sharing method _Ur is as described in the fourth embodiment.

The data restoration apparatus according to the present embodiment is configured such that for each of r (r = 1,..., R), K dispersion values T _λ corresponding to K different λ∈ {1,. From (α _r ), values f _r (n _r (μ)) (μ = 1, ..., K corresponding to K different n _r (μ) (μ = 1, ..., K) ) And for each of r (r = 1, ..., R), F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K) A function value F _r (n _r (0)) = α _r of the K−1 linear expression F _r (x) that satisfies is obtained. For example, the data restoration apparatus, for each of r (r = 1,..., R), has a variance value T _λ (α _r ) corresponding to K different λ∈ {1,. From the values f _r (n _r (K)) (r = 1, ..., R) and v (k) (k = 1, ..., K-1) and r (r = 1 , ..., R) for each of f _r (n _r (k)) = z (r, v (k)) (k = 1, ..., K-1), and K different from each other _{n r (μ) (μ =} 1, ..., K) values corresponding to _{f r (n r (μ)} ) (μ = 1, ..., K) obtained.

The first,..., K−1th distributed data conversion apparatus of the present embodiment has a distributed value T _λ (α _r ) (λ∈ corresponding to K different λ∈ {1,..., N}. V (κ) (κ∈ {1, ..., K-1}) is restored from V _{κ, λ} (v (κ)) included in {1, ..., N}), and r (r = 1, ..., R), the transformation variance z (r, v (κ) (κ∈ {1, ..., K-1}) is obtained from v (κ). The K-th distributed data converter has U _{r, λ} (f _r (n _r (K (K)) included in the distributed values T _λ (α _r ) corresponding to K different λ∈ {1, ..., N}. ))) To obtain the transformed variance value f _r (n _r (K)) (r = 1,..., R) The K + 1,. F _r (n _r (η)) (η∈ {K + 1, ..., N} corresponding to n _r (η) different from n _r (μ) (μ = 1, ..., K) Where F _r (x) is the variance T _λ (α _r ) (λ∈ {1, ..., N) corresponding to K different λ∈ {1, ..., N}. N}) included in V _{k, λ} (v (k)), f _r (n _r (k)) = z (r, v (k)) (r = 1, ..., R, k = 1, ..., K-1) and K different λ∈ {1, ..., N} Corresponding variance T λ _{(α r)} comprises _{U r, λ (f r (} n r (K))) variances values are restored from _{f r (n r (K)} ) (r = 1, .. _Fr (n _r (μ)) = f _r (n _r (μ)) for f _r (n _r (μ)) (μ = 1, ..., K) K−1 linear expression satisfying (μ = 1,..., K) The transform dispersion value obtained in this way is used as an input value for secret calculation.

Preferably, in this embodiment, the data amount of the variance value U _{r, i} (f _r (n _r (K))) is smaller than the data amount of the elements of the set G. Preferably, in this embodiment, the data amount of each of the variance values V _{r, k, i} (v (k)) is smaller than the data amount of the elements of the set G. More preferably in this embodiment, the data amount of each value v (k) is smaller than the data amount of the elements (one element) of the set G. Even more preferably, the data amount of each value v (m) is negligible with respect to the data amount of the elements of the set G (for example, (data amount of each of v (m)) / (set G The amount of data in the element) ≤ 80/10 ⁶ ).

<Configuration>
As illustrated in FIG. 6, the secret sharing system 8 of the eighth embodiment includes a data distribution device 410 and N distributed data conversion devices 440-i (i = 1,...) Of the secret distribution system 4 of the fourth embodiment. .., N) and the data restoration device 430 are replaced with a data distribution device 810, N distributed data conversion devices 840-i (i = 1,..., N) and a data restoration device 830, respectively. is there.

  As illustrated in FIG. 22, the data distribution apparatus 710 of this embodiment includes an input unit 111, an output unit 112, a memory 113, a control unit 314, a selection unit 115, a division unit 211, a calculation unit 716, and internal distribution units 318 and 719. And a variance value generation unit 717. The data distribution apparatus 710 of this embodiment executes each process under the control of the control unit 714.

  As illustrated in FIG. 8, the data restoration device 830 of this embodiment includes an input unit 131, an output unit 132, a memory 133, a control unit 834, a conversion unit 835, a restoration unit 836, and a combining unit 237. The conversion unit 835 includes internal restoration units 835a and 835b. The data restoration apparatus 830 of this embodiment executes each process under the control of the control unit 834.

  As illustrated in FIG. 9A, the distributed data conversion apparatus 840-κ (κε {1,..., K-1}) of this embodiment includes an input unit 141-κ, an output unit 142-κ, and a memory 143a-. κ, a storage unit 143b-κ, a control unit 844-κ, an internal restoration unit 845-κ, and a transform variance value generation unit 847-κ. As illustrated in FIG. 9B, the distributed data conversion apparatus 840-K according to the present embodiment includes an input unit 141-K, an output unit 142-K, a memory 143a-K, a storage unit 143b-K, a control unit 844-K, and A conversion variance value generation unit 446-K is included. As illustrated in FIG. 10, the distributed data conversion apparatus 840-η (ηε {K + 1,..., N}) of this embodiment includes an input unit 141-η, an output unit 142-η, and a memory 143a-. η, a storage unit 143b-η, a control unit 844-η, and a transform variance value generation unit 847-η. The distributed data conversion apparatus 440-λ according to this embodiment executes each process under the control of the control unit 440-λ.

<Data distribution processing>
As illustrated in FIG. 25, a secret value α is input to the input unit 111 of the data distribution device 810 (FIG. 22) (step S111). The value α is input to the dividing unit 211. Dividing unit 211, R number of values alpha _r ∈G value alpha is an element of the set G (r = 1, ..., R) is divided into, R number of values α _{r (r} = 1, .. ., R) is output (step S211). The selection unit 115 selects K-1 values v (k) (k = 1, ..., K-1) and selects values v (k) (k = 1, ..., K-1). Is output (step S112).

The values α _r (r = 1,..., R) output from the dividing unit 211 and the K−1 values v (k) (k = 1,. K-1) is input to the calculation unit 816. The calculation unit 816 generates values f _r (n _r (K)) (r = 1,..., R) using these, and the obtained values f _r (n _r (K)) (r = 1, ..., R) is output. However, f _r (x) is the value _{n r (1), ...,} n r (K-1) and an element of the set G value alpha _r ∈G and for _{f r (n r (k)} ) = It is a K−1 order equation satisfying z (r, v (k)) and f _r (n _r (0)) = α _r . The values n _r (0), n _r (1),..., N _r (K) corresponding to the same r are different from each other (step S814).

The K−1 values v (k) (k = 1,..., K−1) output from the selection unit 115 are input to the internal distribution unit 318 and the values f _r ( n _r (K)) (r = 1,..., R) is input to the internal dispersion unit 819. The internal distribution unit 318 performs secret sharing for each of v (k) (k = 1,..., K−1) according to the (K, N) threshold secret sharing method V _k , Generate variance value V _{k, i} (v (k)) (i = 1, ..., N) and distribute value V _{k, i} (v (k)) (i = 1, ..., N, k = 1,..., K-1) are output (step S815). The internal distribution unit 819 secretly distributes the value f _r (n _r (K)) for each of _r according to the (K, N) threshold value secret distribution method U _r , and N distributed values U _{r, i} (f _r (n _r (K))) (i = 1, ..., N) and the variance U _{r, i} (f _r (n _r (K))) (i = 1, ..., N, r = 1,..., R) are output (step S816).

Variance V _{k, i} (v (k)) (i = 1, ..., N, k = 1, ..., K-1) and variance U _{r, i} (f _r (n _r (K ))) (i = 1,..., N) are input to the variance value generation unit 817. The variance value generation unit 817 uses these to calculate N variance values T _i (α _r ) = (V _{r, 1, i} (v (1)) for each of r (r = 1,..., R). ), ..., V _{r, K-1, i} (v (K-1)), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N) and R × N variances T _i (α _r ) = (V _{r, 1, i} (v (1)), ..., V _{r, K -1, i} (v (K-1)), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N) Is output (step S817). However, at least _one of V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is the variance value V _{k, i} (v (k)) .

R × N variance values T _i (α _r ) (i = 1, ..., N, r = 1, ..., R) are input to the output unit 112, and the output unit 112 has N variances. The values T _i (α _r ) (i = 1,..., N, r = 1,..., R) are output (step S818). Each of the output variance values T _i (α _r ) (i = 1,..., N, r = 1,..., R) corresponds to the data storage device 420-i (i = 1,. ), N). The dispersion value T _λ (α _r ) (r = 1,..., R) provided to the data storage device 420-λ is input to the input unit 121-λ and stored in the storage unit 123b-λ.

<Distributed data conversion processing>
The distributed data conversion process executed by the distributed data conversion device 840-λ (λε {1,..., N}) will be described with reference to FIGS. 24B, 15B, and 15C.
[Processing of Distributed Data Conversion Device 840-κ (κε {1,..., K-1}) (FIG. 24B)]
The distribution stored in the storage unit 123b-λ from the output unit 122-λ of the K data storage devices 420-λ (FIG. 7B) corresponding to K different λ∈ {1,. V _{r, κ, λ} (v (κ)) (r = 1,..., R) included in the value T _λ (α _r ) (r = 1,..., R) is output. V _{r, κ, λ} (v (κ)) (r = 1, ..., R) corresponding to K different λ∈ {1, ..., N} via a network etc. The distributed data converter 840-κ (κε {1,..., K-1}) (FIG. 9A) is input to the input unit 141-κ and stored in the storage unit 143b-κ (step S841-). κ).

The internal restoration unit 845-κ stores the variance T _λ (α _r ) (λ∈ {1) corresponding to K different λ∈ {1,..., N} stored in the storage unit 143b-κ. , ..., N}, r = 1, ..., R) contains V _{κ, λ} (v (κ)) and v (κ) (κ∈ {1, ..., K-1} ) And v (κ) obtained are output (step S442-κ).

v (κ) is input to the transformed variance generation unit 846-κ. For each of r (r = 1,..., R), the transformed variance value generator 846-κ converts the transformed variance value z (r, v (κ) (κ∈ {1,. ., K-1}) and outputs the transformation variance S _κ (α _r ) = z (r, v (κ)) (r = 1, ..., R). S _κ (α _r ) (r = 1,..., R) is input to the output unit 142 -κ, and the output unit 142 -κ outputs the transformed dispersion value S _κ (α _r ) (r = 1,. , R) (step S844-κ) The transformed dispersion value S _κ (α _r ) (r = 1,..., R) is sent via the network or the like to the corresponding data storage device 420-κ. The transformed dispersion value S _κ (α _r ) (r = 1,..., R) is input to the input unit 121-κ of the data storage device 420-κ and stored in the storage unit 123b. -Stored in κ.

[Processing of Distributed Data Conversion Apparatus 840-K (FIG. 15B)]
As illustrated in FIG. 15B, the distributed data conversion apparatus 840-K performs the processes of steps S441-K, S442-K, and S443-K, in which the converted variance value generation unit 446-K is converted into the conversion variance value generation unit 844-K. Run.

[Processing of Distributed Data Conversion Apparatus 840-η (η∈ {K + 1,..., N}) (FIG. 15C)]
The transform variance value generation unit 847-η of the distributed data converter 840-η (η∈ {K + 1,..., N}) (FIG. 10) has n _r (μ) (μ = 1,. , (F _r (n _r corresponding to η) (η) K) different from _{n r) (η∈ {K +} 1, ..., n}, r = 1, ..., R) to generate a , F _r (n _r (η)) (η∈ {K + 1, ..., N}, r = 1, ..., R) is transformed into the transformation variance S _η (α _r ) = F _r ( n _r (η)) (r = 1, ..., R) However, F _r (x) has a variance value T _λ (α _r ) (λ∈ {1, ..., N}) corresponding to K different λ∈ {1, ..., N}. F _r (n _r (k)) = z (r, v (k)) (r = 1, ..., obtained from v (k) restored from V _{k, λ} (v (k)) R, k = 1, ..., K-1) and U _{r, λ} (included by variance values T _λ (α _r ) corresponding to K different λ∈ {1, ..., N}. _{f r (n r (K)} )) variances values are restored from _{f r (n r (K)} ) (r = 1, ..., consisting of a _{R), f r (n r} (μ)) K-1 order satisfying F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K) for (μ = 1, ..., K) It is a formula. For example, “f _r (n _r (κ)) = P (z (r, v (κ)))” in steps S441-η to S444-η described above is changed to “f _r (n _r (κ)) = The dispersion value S _η (α _r ) = F _r (n _r (η)) is generated by the processing (steps S841-η to S844-η) replaced with “z (r, v (κ))”.

<Distributed value provision / secret calculation>
The data storage devices 420-λ (FIG. 7B) corresponding to K different λ∈ {1,..., N} are distributed values T _λ (α _r ) (r = 1,..., R), or the secret calculation unit 427-λ performs the secret calculation and the variance value E _{λ, r} (r = 1,. Output. These are sent to the data restoration device 830 via a network or the like.
<Data restoration processing>
As illustrated in FIG. 16, the input unit 131 of the data restoration device 830 (FIG. 8) has variance values T _λ (α _r ) corresponding to K different λ∈ {1,..., N}. Alternatively, the variance value E _{λ, r} is input (step S831). The control unit 134 determines whether K variance values T _λ (α _r ) or K variance values E _{λ, r} have been input (step S832).

When it is determined in step S832 that variance values T _λ (α _r ) (r = 1,..., R) corresponding to K different λ∈ {1,. These dispersion values T _λ (α _r ) (r = 1,..., R) are input to the conversion unit 835. For each of r (r = 1,..., R), the conversion unit 835 has K variance values T _λ (α _r corresponding to K different λ∈ {1,..., N}. ) To obtain values f _r (n _r (μ)) (μ = 1, ..., K) corresponding to K different n _r (μ) (μ = 1, ..., K). . First, the internal restoration unit 835a of the conversion unit 835 has a variance value T corresponding to K different λ∈ {1,..., N} for each of r (r = 1,..., R). Restore the values f _r (n _r (K)) (r = 1, ..., R) and v (k) (k = 1, ..., K-1) from _λ (α _r ), Output the values f _r (n _r (K)) (r = 1, ..., R) and v (k) (k = 1, ..., K-1).

The values f _r (n _r (K)) (r = 1,..., R) and v (k) (k = 1,..., K−1) are input to the coordinate restoration unit 835b. The coordinate restoration unit 835b sets f _r (n _r (k)) = z (r, v (k)) for each of r (r = 1,..., R). The coordinate restoration unit 835b has values f _r (n _r (μ)) (μ = 1,...) Composed of the values f _r (n _r (K)) (r = 1,..., R) inputted thereto. ., K, r = 1,..., R) are output (step S834).

The values f _r (n _r (μ)) (μ = 1,..., K, r = 1,..., R) are input to the restoration unit 836. For each of r (r = 1, ..., R), the restoration unit 836 uses these values f _r (n _r (μ)) (μ = 1, ..., K, r = 1,... ., F against _{R) r (n r (μ} ) _{in) = f r (n r (} μ)) (μ = 1, ..., satisfy K) K-1 linear equation F _r (x) The function value F _r (n _r (0)) = α _r is generated, and the value α _r obtained thereby is output (step S835). The values α _r (r = 0,..., R−1) are input to the coupling unit 237. The combining unit 237 combines the R values α _r (r = 0,..., R−1) to generate a value αεG, and outputs the value α (step S235). The value α is input to and output from the output unit 132 (step S135).

On the other hand, if it is determined in step S832 that the variance value E _{λ, r} has been input, the restoration unit 836 performs the processing of steps S236, S237, and S137 described in the second embodiment.

<Features of this embodiment>
In this embodiment, compared to the conventional secret sharing scheme, the data amount of the distributed value can be greatly reduced. Further, by diverting the same value v (k) to secret sharing of a plurality of values α _r (r = 0,..., R−1), the data amount of the distributed value can be further reduced. Further, the distributed data conversion processing in the distributed data conversion device can be used to obtain a converted distributed value that can be used as an input for the secret calculation without restoring the original value α _r from the distributed value obtained by the data distribution device. It can also generate and perform secret computations. Similarly to the fourth embodiment, in this embodiment, the variance value generation unit may output n (i), i, r, and other additional information as variance values in addition to T _i (α _r ).

[Other variations, etc.]
The present invention is not limited to the above-described embodiment. For example, in the second, fourth, sixth, and eighth embodiments, the value α is divided to generate R values α _r (r = 0,..., R−1). _May be data consisting of the value α _{r of} . For example, the value α may be table data, and α _r may be an element constituting the table data. In addition, the R values α _r may not be divided from the value α, but may be independent data.

  As described above, the data distribution apparatus may output additional additional information in addition to the distribution value of the above-described embodiment. In addition, r is not transmitted as additional information, but r is associated with information such as the position and order of distributed values in the transmitted bit stream, or the address of the distributed value stored in the storage area. The r corresponding to the variance value may be specified from the information.

  At least a part of the processing units of the devices described in the above embodiments may be included in the same device. For example, the data distribution device and the data restoration device may be configured using the same computer. Further, some processing units included in the apparatus described in the above-described embodiment may be included in another apparatus. For example, a secret calculation unit may be provided in a secret calculation device outside the data storage device, and the secret calculation device may perform a secret calculation using a transformation distribution value provided from the data storage device. Providing information from device A to device B may be transmitting information from device A to device B, storing information output from device A in a portable recording medium, and device B Alternatively, the information may be read from the portable recording medium. The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  Each of the above-described devices is a special device configured by loading a special program into a known or dedicated computer having a CPU (central processing unit), a RAM (random-access memory), and the like. When these devices are realized by a computer, processing contents of functions that each device should have are described by a program. By executing this program on a computer, the above processing functions are realized on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium. An example of a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.

  The program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads the program stored in its own recording device and executes the process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer). In addition, at least a part of the processing functions of the above-described devices may be configured by hardware.

1-8 Secret sharing system 110-810 Data distribution device 120-820 Data storage device 130-830 Data restoration device 140-840 Distributed data conversion device

Claims (25)

N and K are integers of 2 or more, K ≦ N, G is a set, and P (x) is a mapping that transfers a value corresponding to x to an element of the set G
A selector for selecting K-1 values v (k) (k = 1, ..., K-1);
A first transformation unit for obtaining K-1 values a (k) = P (v (k)) ∈G (k = 1,..., K-1);
n (0), n (1), ..., n (K) are different from each other, and the values n (1), ..., n (K-1) and secrets that are elements of the set G K-1 order satisfying f (n (k)) = a (k) (k = 1, ..., K-1) and f (n (0)) = α for the value α∈G to be distributed A calculation unit having an expression f (x) and obtaining a value f (n (K));
According to the (K, N) threshold secret sharing method V _k , v (k) (k = 1, ..., K-1) is secretly distributed and N distributed values V _{k, i} (v (k)) a first internal dispersion that obtains (i = 1, ..., N);
According to the (K, N) threshold secret sharing method U, the value f (n (K)) is secret-shared to obtain N distributed values U _i (f (n (K))) (i = 1, ... , N), a second internal dispersion part,
N variances T _i (α) = (V _{1, i} (v (1)), ..., V _{K-1, i} (v (K-1)), U _i (f (n (K )))) Variance generator to obtain (i = 1, ..., N),
I have a,
The data distribution apparatus , wherein the data amount of the variance value T _i (α) is smaller than the data amount of the elements of the set G. From K dispersion values T _λ (α) corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus according to claim 1, K different n (μ ) a second conversion unit for obtaining K values f (n (μ)) (μ = 1, ..., K) corresponding to (μ = 1, ..., K);
F (n (μ)) = f (n (μ)) (μ = 1, ..., K) satisfying the function value F (n (0)) = α A recovery unit to obtain,
A data restoration apparatus having The K distribution values T _λ (α) (λ∈ {1,... Corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus of claim 1. , N}) includes a second internal restoration unit that restores v (κ) (κ∈ {1, ..., K-1}) from V _{κ, λ} (v (κ)).
a first transform variance value generation unit that obtains a transform variance value P (v (κ)) (κ∈ {1,..., K-1}) from v (κ);
A distributed data conversion apparatus. The K U _λ (f included in the K dispersion values T _λ (α) corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus according to claim 1. A distributed data conversion apparatus further comprising a distributed data conversion apparatus having a second conversion distribution value generation unit that obtains a conversion distribution value f (n (K)) from (n (K))). V () restored from K V _{k, λ} (v (k)) corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus of claim 1. f (n (k)) = P (v (k)) (k = 1, ..., K-1) obtained from k) and K different λ∈ {1, ..., N }, F (n (μ)) (μ = 1, ..., K consisting of f (n (K)) restored from K U _λ (f (n (K))) corresponding to ) For F (n (μ)) = f (n (μ)) (μ = 1, ..., K) is F (x) and n (μ) ( μ = 1, ..., K) and a third transformation variance generator for obtaining F (n (η)) (η∈ {K + 1, ..., N}) corresponding to n (η) different from A distributed data conversion apparatus. N, K, and R are integers greater than or equal to 2, K ≦ N, G is a set, and P (x) is a mapping that moves a value corresponding to x to an element of the set G
A selector for selecting K-1 values v (k) (k = 1, ..., K-1);
Let z (r, v (k)) be the value corresponding to r and the value v (k), and K-1 values a _r (k) = P (z (r, v ( k))) a first conversion unit for obtaining (r = 1, ..., R, k = 1, ..., K-1);
The values n _r (0), n _r (1), ..., n _r (K) corresponding to the same r are different from each other, and the values n _r (1), ..., n _r (K-1) F _r (n _r (k)) = a _r (k) (k = 1, ..., K-1) and f _r for the secret sharing target value α _r ∈G which is an element of the set G A calculation unit that obtains a value f _r (n _r (K)), where K−1 linear expression satisfying (n _r (0)) = α _r is f _r (x),
According to the (K, N) threshold secret sharing method V _k , v (k) (k = 1, ..., K-1) is secretly distributed and N distributed values V _{k, i} (v (k)) a first internal dispersion that obtains (i = 1, ..., N);
For each of r, according to the (K, N) threshold secret sharing scheme U _r , the value f _r (n _r (K)) is secretly distributed to obtain N distributed values U _{r, i} (f _r (n _r ( K))) A second internal dispersion unit that obtains (i = 1, ..., N);
V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is at least the variance value V _{k, i} (v (k)), For each of r (r = 1, ..., R), N variance values T _i (α _r ) = (V _{r, 1, i} (v (1)), ..., V _{r, K- 1, i} (v (K-1)), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N) A dispersion value generator to obtain,
I have a,
The data distribution apparatus , wherein the data amount of the variance value T _i (α _r ) is smaller than the data amount of the elements of the set G. For each of r (r = 1, ..., R), K said corresponding to K different λ∈ {1, ..., N} obtained by the data distribution apparatus of claim 6. From the variance T _λ (α _r ), values f _r (n _r (μ)) (μ = 1,...) Corresponding to K different n _r (μ) (μ = 1, ..., K). ., K), a second conversion unit
For each r (r = 1, ..., R), K- satisfies F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K) A restoration unit for obtaining a function value F _r (n _r (0)) = α _r of the linear expression F _r (x);
A data restoration apparatus having The distributed values T _λ (α _r ) (λε {1, ..., N) corresponding to K different λε {1, ..., N} obtained by the data distribution apparatus according to claim 6. }) Included in V _{κ, λ} (v (κ)), v (κ) (κ∈ {1, ..., K-1}) is restored,
For each of r (r = 1, ..., R), v (κ) to transform variance P (z (r, v (κ)) (κ∈ {1, ..., K-1}) A first transform variance value generation unit for obtaining
A distributed data conversion apparatus. U _{r, λ} (f _r (n) included in the distributed values T _λ (α _r ) corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus of claim 6. _r (K))), a distributed data conversion device having a second conversion distribution value generation unit for obtaining a conversion distribution value f _r (n _r (K)) (r = 1,..., R). The distribution value T _λ (α _r ) (λ∈ {1,..., Corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus according to claim 6. N}) included in V _{k, λ} (v (k)) and f _r (n _r (k)) = P (z (r, v (k))) (r = 1, ..., R, k = 1, ..., K-1) and the variance T _λ (α _r corresponding to K different λ∈ {1, ..., N} ) Included in U _{r, λ} (f _r (n _r (K))), and f is composed of f _r (n _r (K)) (r = 1, ..., R), f _r (n _r (μ)) (μ = 1, ..., K) vs F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K-1 linear equation that satisfies K) is _{F r (x), n r} (μ) (μ = 1, ..., corresponding to K) different from _{n r (η) F r (} n r ( η)) A distributed data conversion apparatus having a third conversion distribution value generation unit for obtaining (η∈ {K + 1,..., N}). N and K are integers greater than or equal to 2, K ≦ N, G is a set,
A selector for selecting K-1 values v (k) (k = 1, ..., K-1);
n (0), n (1), ..., n (K) are different from each other, and the values n (1), ..., n (K-1) and secrets that are elements of the set G For the value α to be distributed , a K-1 order equation satisfying f (n (k)) = v (k) (k = 1, ..., K-1) and f (n (0)) = α is obtained. a calculation unit that obtains a value f (n (K)) that is f (x);
According to the (K, N) threshold secret sharing method V _k , v (k) (k = 1, ..., K-1) is secretly distributed and N distributed values V _{k, i} (v (k)) a first internal dispersion that obtains (i = 1, ..., N);
According to the (K, N) threshold secret sharing method U, the value f (n (K)) is secret-shared to obtain N distributed values U _i (f (n (K))) (i = 1, ... , N), a second internal dispersion part,
N variances T _i (α) = (V _{1, i} (v (1)), ..., V _{K-1, i} (v (K-1)), U _i (f (n (K )))) Variance generator to obtain (i = 1, ..., N),
Have
The data distribution apparatus , wherein the data amount of the variance value T _i (α) is smaller than the data amount of the elements of the set G. Claim 1 1 data distribution device the K different λ∈ obtained in {1, ..., N} from the dispersion values of K corresponding to T λ _(α), different the K mutually n a conversion unit for obtaining K values f (n (μ)) (μ = 1, ..., K) corresponding to (μ) (μ = 1, ..., K);
F (n (μ)) = f (n (μ)) (μ = 1, ..., K) satisfying the function value F (n (0)) = α A recovery unit to obtain,
A data restoration apparatus having Claim 1 1 data distribution device the K different Ramuda∈ obtained in {1, ..., N} the dispersion values of K corresponding to _{T λ (α) (λ∈ {} 1, .. ., N}) includes V _{κ, λ} (v (κ)), and transform variance f (n (κ)) = v (κ) (κ∈ {1, ..., K-1}) A distributed data conversion apparatus having a first conversion distribution value generation unit for generating. Claim 1 1 data distribution device the K different λ∈ obtained in {1, ..., N} the dispersion values of K corresponding to T _lambda (alpha) of K U _lambda containing the ( A distributed data conversion apparatus having a second conversion distribution value generation unit that obtains a conversion distribution value f (n (K)) from f (n (K))). Obtained in data distribution apparatus according to claim 1 1, different Ramuda∈ K-number of mutually {1, ..., N} K pieces of V _k corresponding to _and restored from _{λ (v} (k)) v f (n (k)) = v (k) (k = 1, ..., K-1) obtained from (k) and K different λ∈ {1, ..., N} F (n (μ)) (μ = 1, ..., K) consisting of f (n (K)) restored from the corresponding K U _λ (f (n (K))) On the other hand, the K-1 order equation satisfying F (n (μ)) = f (n (μ)) (μ = 1, ..., K) is F (x), and n (μ) (μ = 1, ..., K) having a third transform variance value generation unit for obtaining F (n (η)) (η∈ {K + 1, ..., N}) corresponding to n (η) different from Distributed data converter. N, K, R are integers greater than or equal to 2, K ≦ N, G is a set,
A selector for selecting K-1 values v (k) (k = 1, ..., K-1);
The values n _r (0), n _r (1), ..., n _r (K) corresponding to the same r are different from each other, and the values corresponding to r and the value v (k) are z (r, v (k)), and the value n _r (1), ..., n _r (K-1) and the secret sharing target value α _r ∈G that is an element of the set G are f _r (n _r ( k)) = z (r, v (k)) (k = 1, ..., K-1) and _{f r (n r (0)} ) = α satisfy _r K-1 linear equation is f _r ( x) and a calculation unit for obtaining the value f _r (n _r (K)),
According to the (K, N) threshold secret sharing method V _k , v (k) (k = 1, ..., K-1) is secretly distributed and N distributed values V _{k, i} (v (k)) a first internal dispersion that obtains (i = 1, ..., N);
For each of r, according to the (K, N) threshold secret sharing scheme U _r , the value f _r (n _r (K)) is secretly distributed to obtain N distributed values U _{r, i} (f _r (n _r ( K))) A second internal dispersion unit that obtains (i = 1, ..., N);
V _{1, k, i} (v (k)), ..., V _{R, k, i} (v (k)) is at least the variance value V _{k, i} (v (k)), For each of r (r = 1, ..., R), N variance values T _i (α _r ) = (V _{r, 1, i} (v (1)), ..., V _{r, K- 1, i} (v (K-1)), U _{r, i} (f _r (n _r (K)))) (r = 1, ..., R, i = 1, ..., N) A dispersion value generator to obtain,
Have
The data distribution apparatus , wherein the data amount of the variance value T _i (α _r ) is smaller than the data amount of the elements of the set G. For each of r (r = 1, ..., R), K said corresponding to K different λ∈ {1, ..., N} obtained by the data distribution apparatus of claim 16. From the variance T _λ (α _r ), values f _r (n _r (μ)) (μ = 1,...) Corresponding to K different n _r (μ) (μ = 1, ..., K). .., K), and
For each r (r = 1, ..., R), K- satisfies F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K) A restoration unit for obtaining a function value F _r (n _r (0)) = α _r of the linear expression F _r (x);
A data restoration apparatus having 17. The distributed values T _λ (α _r ) (λ∈ {1,..., N) corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus of claim 16. }) Included in V _{κ, λ} (v (κ)), v (κ) (κ∈ {1, ..., K-1}) is restored,
For each of r (r = 1, ..., R), get the transform variance z (r, v (κ)) (κ∈ {1, ..., K-1}) from v (κ) A first transformed variance generation unit;
A distributed data conversion apparatus. The distribution value T _λ (α _r ) corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus of claim 16 includes U _{r, λ} (f _r (n _r (K))), a distributed data conversion device having a second conversion distribution value generation unit for obtaining a conversion distribution value f _r (n _r (K)) (r = 1,..., R). 17. The distribution values T _λ (α _r ) (λ∈ {1,..., Corresponding to K different λ∈ {1,..., N} obtained by the data distribution apparatus according to claim 16 . N}) included in V _{k, λ} (v (k)), f _r (n _r (k)) = z (r, v (k)) (r = 1, ..., R, k = 1, ..., K-1) and the dispersion values T _λ (α _r ) corresponding to K different λ∈ {1, ..., N} _{U r, λ (f r (} n r (K))) variances values are restored from _{f r (n r (K)} ) (r = 1, ..., R) consisting of a, f _r (n _r (μ)) (μ = 1, ..., K) and F _r (n _r (μ)) = f _r (n _r (μ)) (μ = 1, ..., K) K-1 linear equation satisfied by a _{F r (x), n r} (μ) (μ = 1, ..., K) corresponding to different _{n r (η) F r (} n r (η)) A distributed data conversion apparatus including a third conversion distribution value generation unit that obtains (η∈ {K + 1,..., N}). The data distribution apparatus according to claim 1 or 11 ,
The data distribution apparatus, wherein the data amount of the variance value U _i (f (n (K))) is smaller than the data amount of the elements of the set G. The data distribution apparatus according to claim 1 or 11 ,
A data distribution apparatus in which the data amount of each of the variance values V _{k, i} (v (k)) (k = 1,..., K−1) is smaller than the data amount of the elements of the set G. The data distribution apparatus according to claim 6 or 16 , wherein
The data distribution apparatus, wherein the data amount of the variance value U _{r, i} (f _r (n _r (K))) is smaller than the data amount of the elements of the set G. The data distribution apparatus according to claim 6 or 16 , wherein
The data distribution device, wherein the data amount of each of the variance values V _{r, k, i} (v (k)) is smaller than the data amount of the elements of the set G. The data distribution device according to any one of claims 1, 6, 11, and 16 , comprising:
The data distribution device, wherein the data amount of any one of the values v (k) is smaller than the data amount of the elements of the set G.

Images