JP5732429B2 - Secret sharing system, data sharing device, data restoration device, secret sharing method, and program - Google Patents

Description

  The present invention relates to a secret sharing technique.

  Secret sharing is a technology that converts data into a plurality of distributed values and restores the original data by using more than a certain number of distributed values, and makes it impossible to restore the original data from less than a certain number of distributed values. . Assuming that the total number of variance values is N and the minimum number of variance values necessary for restoration is M (≦ N), there are a method in which the values of N and M are not restricted and a method in which there is a restriction.

As a typical scheme for secret sharing, there is a Shamir secret sharing scheme (for example, see Non-Patent Document 1). In an example of this method, A is a non-negative integer, p is a prime number greater than or equal to N and greater than A, and the variance value of A is S _i (A) = f (i) mod p (i = 1,..., N) To do. Here, f is a one-variable M−1 linear expression such that f (0) = A. Then, n _1, ..., a n _M as a different one or more N an integer, the following relationship can be restored to A from _{(n i, S i (A} )) (i = 1, ..., N) .

In the above example, the variance value S _i (A) is an integer of 0 or more and less than p, but a method that can further reduce the data length of the variance value has been proposed (see Non-Patent Document 2, for example). In the secret sharing scheme described in Non-Patent Document 2, the following method using common key cryptography has been proposed.

<Data distribution processing>
1. A secret key SK is generated.
2. The plaintext A is encrypted using the secret key SK to generate the ciphertext C.
3. The ciphertext C is distributed to N distributed values T ₁ (C),..., T _N (C) using an information dispersal algorithm (IDA).
4). The secret key SK is distributed to N distributed values S ₁ (SK),..., S _N (SK) by an arbitrary secret sharing scheme.
5. A distributed value U _i (A) = (T _i (C), S _i (SK)) (i = 1,..., N) of plaintext A is generated.

<Data restoration processing>
1. Arbitrary M values are selected from N variance values U _i (A).
2. Using the information propagation algorithm, the ciphertext C is restored from the M distributed values T _i (C).
3. The secret key SK is restored from the M distributed values S _i (SK) by an arbitrary secret sharing scheme.
4). The ciphertext C is decrypted using the secret key SK to obtain plaintext A.

  The information propagation algorithm is a technique for converting data into a plurality of distributed values and restoring the original data by using a certain number of distributed values or more. This is different from the secret sharing scheme in that the original data may be restored from a smaller number of distributed values.

An example of the information propagation algorithm will be described more specifically. The data distribution processing of the information propagation algorithm divides the ciphertext C into M divided values C ₀ ,..., C _M−1 , and T _i (C) = g (i) mod q (i = 1,. N). Where C ₀ , ..., C _M-1 is a non _- negative integer, q is a prime number greater than N and greater than C ₀ , ..., C _M-1 , and g (x) (x = 1, ..., N) is The value is obtained from the following one-variable M-1 linear expression.

In general, q can be smaller than p. Also, the secret key SK can be a fixed data length as small as 128 bits, for example. For this reason, the distributed value S _i (SK) of the secret key SK has a sufficiently small data length compared to the distributed value T _i (C) of the ciphertext C and can be ignored. Therefore, the distributed value U _i (A) according to the secret sharing scheme described in Non-Patent Document 2 is expected to have a smaller data length than the distributed value S _i (A) according to the secret sharing scheme described in Non-Patent Document 1. it can.

Data restoration processing of the information propagation algorithm is performed by solving the following simultaneous equations using C ₀ ,..., C _M-1 as variables using M variance values T _i (C), thereby dividing the values C ₀ ,. , Restore C _M-1 .

The restored divided values C ₀ ,..., C _M-1 are combined to restore the ciphertext C.

  A non-patent document 3 discloses a secret sharing scheme extended to multi-party computation. Multi-party calculation is a secret sharing scheme that allows a distributed value of data held by each subject to be sent to another subject and the intended calculation to be executed without revealing the distributed value to the other subject.

A. Shamir, “How to share a secret.”, Commun. ACM 22 (11), pp.612-613, 1979. H.Krawczyk, “Secret sharing made short.”, CRYPTO 1993, pp.136-146, 1993. Koji Senda, Dai Igarashi, Hiroki Hirota, Ryo Kikuchi, Hitoshi Fuji, Katsumi Takahashi, “Computational short secret sharing applicable to multi-party computation”, SCIS 2012.

When it is desired to immediately display a screen or execute a program from secret-distributed data, it is necessary to shorten the time required for data restoration processing in the secret-sharing technique as much as possible. The secret sharing schemes described in Non-Patent Document 2 and Non-Patent Document 3 use divided values C ₀ ,..., C _{M in} order to obtain divided values C _{0 ,. It} is necessary to solve simultaneous equations with all of _-1 . In particular, the amount of calculation increases as the data length of the ciphertext C increases, and as a result, the time required for the data restoration processing also increases.

  The present invention has been made in view of such a point, and an object thereof is to reduce the amount of calculation of secret sharing data restoration processing.

  In order to solve the above problems, a secret sharing system of the present invention includes a data sharing device and a data restoration device. In the present invention, M and N are integers of 2 or more, M ′ is an integer of 0 or more, and M ′ ≦ M ≦ N.

The data distribution apparatus includes an encryption unit, a ciphertext division unit, a ciphertext distribution unit, a key distribution unit, and a distributed value generation unit. The encryption unit encrypts the plaintext A using the secret key SK and generates a ciphertext C. The ciphertext dividing unit divides the ciphertext C into M divided values C ₀ ,..., C _M−1 . Ciphertext dispersion unit, division value C _0, ..., the NM number of linearly independent polynomials each other by the factor C _M-1 by calculating respectively, NM pieces of dispersion value D _1, ..., generate D _NM To do. The key distribution unit distributes the secret key SK into N distributed values S ₁ (SK),..., S _N (SK) according to a predetermined secret sharing scheme. Variance generator, the dispersion value D _1, ..., D _NM variance value T ₁ (C), ..., and T _NM (C), divided value _{C 0, ..., C M-} 1 dispersion value T _{N- M + 1} (C), ..., T _N (C), and dispersion value T _i (C) (i = 1, ..., N) and dispersion value S _i (SK) (i = 1, ..., N) The variance U ₁ (A),..., U _N (A) is generated as a set.

The data restoration device includes a divided ciphertext extraction unit, a divided ciphertext interpolation unit, a ciphertext combination unit, a key restoration unit, and a decryption unit. The divided ciphertext extraction unit includes M distributed values arbitrarily selected from the distributed values U ₁ (A),..., U _N (A) among the distributed values T ₁ (C) _,. U ' ₁ (A), ..., U' _M (A) includes M 'variance values T' ₁ (C), ..., T '_M' (C) as variance values D ' ₁ , ..., D Extracted as '_M' and included in the variance values U ' ₁ (A), ..., U' _M (A) among the variance values T _{N-M + 1} (C), ..., T _N (C) M ′ variance values T ′ _{M ′ + 1} (C),..., T ′ _M (C) are extracted as divided values C ′ _{0 ,.} The divided ciphertext interpolating unit, when any of the divided values C ₀ ,..., C _M-1 is not included in the divided values C ′ _{0 ,. 1,} ..., D _'M' and the divided value C _'0, ..., C' using the _M-M'-1, divided value C _0, ..., interpolates the C _M-1. Ciphertext combining unit is divided value C _0, ..., obtaining a ciphertext C by combining the C _M-1. Key recovery unit in accordance with a predetermined secret sharing scheme, the dispersion value _{U '1 (A), ...} , U' M variance value included in the _{(A) S '1 (SK} ), ..., S' from _M (SK) Restore the secret key SK. The decryption unit decrypts the ciphertext C using the secret key SK and obtains plaintext A.

  According to the secret sharing technique of the present invention, when all the predetermined shared values are selected, the ciphertext C can be restored only by combining the divided values included in the selected distributed value. That is, since the data restoration process of the information propagation algorithm can be omitted, the calculation amount of the data restoration process of the secret sharing scheme can be suppressed.

The schematic diagram explaining the data distribution process of the conventional secret sharing system. The schematic diagram explaining the data restoration process of the conventional secret sharing system. The block diagram which shows the structural example of the secret sharing system which concerns on 1st Embodiment. The block diagram which shows the structural example of the data distribution apparatus which concerns on 1st Embodiment. 1 is a block diagram illustrating a configuration example of a data restoration device according to a first embodiment. The block diagram which shows the structural example of a data storage device. The flowchart which shows the operation example of the data distribution apparatus which concerns on 1st Embodiment. 6 is a flowchart showing an operation example of the data restoration apparatus according to the first embodiment. The schematic diagram explaining the data distribution process which concerns on 1st Embodiment. The schematic diagram explaining the data restoration process which concerns on 1st Embodiment. The block diagram which shows the structural example of the secret sharing system which concerns on 2nd Embodiment. The block diagram which shows the structural example of the data distribution apparatus which concerns on 2nd Embodiment. The block diagram which shows the structural example of the data restoration apparatus which concerns on 2nd Embodiment. The schematic diagram explaining the data distribution process which concerns on 2nd Embodiment. The schematic diagram explaining the data restoration process which concerns on 2nd Embodiment. The block diagram which shows the structural example of the secret sharing system which concerns on 3rd Embodiment. The block diagram which shows the structural example of the data distribution apparatus which concerns on 3rd Embodiment. The block diagram which shows the structural example of the data restoration apparatus which concerns on 3rd Embodiment. The schematic diagram explaining the data distribution process which concerns on 3rd Embodiment. The schematic diagram explaining the data restoration process which concerns on 3rd Embodiment.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the component which has the same function in drawing, and duplication description is abbreviate | omitted.

[Conventional secret sharing method]
Prior to the description of the embodiments, problems of the conventional secret sharing scheme will be described in detail.

<Data distribution processing>
With reference to FIG. 1, the principle of data distribution processing by a conventional secret sharing scheme will be described.

  First, plaintext A is encrypted using the secret key SK to generate ciphertext C. The encryption method used here can be any common key encryption method. The common key encryption method is an encryption method in which a sender and a receiver of information share the same key. Typical common key cryptosystems include, for example, DES (Data Encryption Standard) and AES (Advanced Encryption Standard).

Next, the ciphertext C is divided into M divided values C ₀ ,..., C _M−1 . Any method may be used as long as the ciphertext C can be restored only by an operation of combining all the divided values C ₀ ,..., C _M-1 in a predetermined order. For example, assuming that the data length of the ciphertext C is s, the ciphertext C can be divided into s / M bits from the beginning. Alternatively, t may be an arbitrary natural number, and may be divided into s / tM bits from the beginning of the ciphertext C, and arbitrarily selected t may be divided into C ₀ ,..., C _M−1 .

Then, M divided values C ₀ ,..., C _M−1 are distributed to N distributed values T ₁ (C),..., T _N (C) using an information propagation algorithm. For details on the information propagation algorithm, see, for example, “MORabin,“ Efficient dispersal of information for security, load balancing, and fault tolerance. ”, J. ACM 36 (2), pp.335-348, 1989. (Reference 1) Please refer to.

On the other hand, the secret key SK is distributed according to the information propagation algorithm to generate distributed values S ₁ (SK),..., S _N (SK). See above and reference 1 for details on the information propagation algorithm. Since the information propagation algorithm is a concept including a secret sharing scheme, a known secret sharing scheme may be used here. For example, the Shamir secret sharing method can be applied. For details on the Shamir secret sharing scheme, see the above-mentioned and Non-Patent Document 1.

Finally, for i = 1,..., N, the variance value T _i (C) and the variance value S _i (SK) are taken as a pair, and the variance value U _i (A) = (T _i (C), S _i (SK) ) And N variance values U ₁ (A),..., U _N (A).

<Data restoration processing>
The principle of data restoration processing by the conventional secret sharing scheme will be described with reference to FIG.

First, arbitrary M values are selected from _N variance values U ₁ (A),..., U _N (A). The selected M variance values are taken as variance values U ′ ₁ (A),..., U ′ _M (A). Next, an information propagation algorithm is used from the variance values T ′ ₁ (C),..., T ′ _M (C) included in the _M variance values U ′ ₁ (A),. Then, the division values C ₀ ,..., C _M−1 are restored. Information propagation algorithm used here, in the data distribution processing, M pieces of divided values _{C 0, ..., C M-} 1 of N variance T ₁ (C), ..., when divided into T _N (C) This is the information propagation algorithm used for. Then, the ciphertext C is restored by combining the restored divided values C ₀ ,..., C _M-1 in a predetermined order. Binding method M pieces of divided values C ₀ ciphertext C in the data distribution processing, ... it is determined in accordance with the method divided into C _M-1.

On the other hand, M pieces of variance _{U '1 (A), ...} , U' secret _M variance value included in the _{(A) S '1 (SK} ), ..., S' from _M (SK), according to the information propagation algorithm Restore the key SK. The information propagation algorithm used here is the information propagation algorithm used when the secret key SK is distributed to N distributed values S ₁ (SK),..., S _N (SK) in the data distribution process.

  Finally, plaintext A is obtained by decrypting the restored ciphertext C using the restored secret key SK. The decryption method uses the encryption method used when the plaintext A is encrypted by using the secret key SK and the ciphertext C is generated in the data distribution process.

Thus, in the conventional secret distribution method, division value C ₀ for restoring the ciphertext C, ..., in order to obtain the C _M-1, divided value C _0, ..., C _M-1 of all variables It was necessary to solve the simultaneous equations. Dividing number and dividing value as the data length of the ciphertext C is increased C _0, ..., since the data length of the C _M-1 is increased, the amount of calculation increases. As a result, the time required for the data restoration process also increases. An object of the present invention is to reduce the time required for data restoration processing by suppressing the calculation amount of data restoration processing of the secret sharing scheme.

[First Embodiment]
The secret sharing system 1 according to the first embodiment of the present invention is a configuration example when the present invention is applied to the secret sharing scheme described in Non-Patent Document 2.

<Configuration>
A configuration example of the secret sharing system 1 will be described in detail with reference to FIG. The secret sharing system 1 includes a data sharing device 10, a data restoration device 20, at least N data storage devices 30 ₁ to 30 _N, and a network 90. The data distribution device 10, the data restoration device 20, and the data storage devices 30 ₁ to 30 _N are connected to the network 90. The network 90 may be configured so that the data distribution device 10 and the data storage devices 30 ₁ to 30 _N can communicate with each other, and the data restoration device 20 and the data storage devices 30 ₁ to 30 _N can communicate with each other. For example, it can be configured by the Internet, LAN, WAN, or the like. The data distribution device 10 and the data storage devices 30 ₁ to 30 _N , and the data restoration device 20 and the data storage devices 30 ₁ to 30 _N do not necessarily need to be able to communicate online via a network. For example, the information output from the data distribution device 10 may be stored in a portable medium such as a USB memory, and input from the portable medium to the data storage devices 30 ₁ to 30 _N offline. Similarly, the information output from the data storage devices 30 ₁ to 30 _N may be stored in a portable medium such as a USB memory and input to the data restoration device 20 from the portable medium offline.

  A configuration example of the data distribution apparatus 10 included in the secret sharing system 1 will be described in detail with reference to FIG. The data distribution apparatus 10 includes an encryption unit 110, a ciphertext division unit 120, a ciphertext distribution unit 130, a key distribution unit 140, a distributed value generation unit 150, and a distributed value distribution unit 160.

  With reference to FIG. 5, a configuration example of the data restoration device 20 included in the secret sharing system 1 will be described in detail. The data restoration apparatus 20 includes a distributed value selection unit 210, a divided ciphertext extraction unit 220, a divided ciphertext interpolation unit 230, a ciphertext combination unit 240, a key restoration unit 250, and a decryption unit 260.

  A configuration example of the data storage device 30 included in the secret sharing system 1 will be described in detail with reference to FIG. The data storage device 30 includes a distributed value storage unit 310. The distributed value storage unit 310 can be configured by, for example, an auxiliary storage device configured by a semiconductor memory element such as a hard disk, an optical disk, or a flash memory, or middleware such as a relational database or a key value store.

<Data distribution processing>
With reference to FIG. 7, the operation example of the data distribution apparatus 10 is demonstrated in detail according to the order of the procedure actually performed.

  The encryption unit 110 included in the data distribution apparatus 10 encrypts the plaintext A using the secret key SK and generates a ciphertext C (S110). As the encryption method used here, any known common key encryption method can be used as in the conventional secret sharing method.

The ciphertext dividing unit 120 included in the data distribution apparatus 10 divides the ciphertext C into M divided values C ₀ ,..., C _M−1 (S120). As with the conventional secret sharing scheme, the splitting method used here is any method that can restore the ciphertext C only by the operation of combining all split values C ₀ ,..., C _M-1 in a predetermined order. It may be a simple method.

Ciphertext distribution unit 130 included in the data distribution apparatus 10, divided value C _0, ..., the NM number of linearly independent polynomials each other by the factor C _M-1 by calculating respectively, NM pieces of variance D ₁ ,..., D _NM is generated (S130). More specifically, dispersion values D ₁ ,..., D _NM are generated by calculating a polynomial g (x) represented by the following expression for x = 1 _,.

However, q is a prime number greater than or equal to N which is larger than any of the divided values C ₀ ,..., C _M−1 .

The key distribution unit 140 included in the data distribution apparatus 10 distributes the secret key SK into N distribution values S ₁ (SK),..., S _N (SK) according to an arbitrary secret distribution method (S140). As the secret sharing scheme used here, any known secret sharing scheme can be used similarly to the conventional secret sharing scheme. For example, the secret sharing schemes described in Non-Patent Documents 1 to 3 can be used.

The variance value generation unit 150 included in the data distribution apparatus 10 sets the variance values D ₁ ,..., D _NM as the variance values T ₁ (C),..., T _NM (C), and the divided values C _{0 ,. Let 1} be the variance value T _{N-M + 1} (C),..., T _N (C). Then, for i = 1,..., N, the variance value T _i (C) and variance value S _i (SK) are paired, and the variance value U _i (A) = (T _i (C), S _i (SK) ) And N variance values U ₁ (A),..., U _N (A) are generated (S150).

Variance distribution unit 160 included in the data distribution apparatus 10, the dispersion value _{U 1 (A), ...,} U N (A) a data storage device 30 _1, ..., distributed to 30 _N (S160). The data storage device 30 _i stores the received variance value U _i (A) in the variance value storage unit 310.

<Data restoration processing>
With reference to FIG. 8, an operation example of the data restoration apparatus 20 will be described in detail according to the order of procedures actually performed.

The distributed value selection unit 210 included in the data restoration device 20 arbitrarily selects M from the _N data storage devices 30 ₁ ,..., 30 _N. The selected data storage device 30 _i (i = 1,..., M) transmits the variance value U _i (A) stored in the variance value storage unit 310 to the data restoration device 20. The data restoration device 20 acquires the variance value U _i (A) received from the data storage device 30 _i as M variance values U ′ ₁ (A),..., U ′ _M (A) (S210).

The divided ciphertext extraction unit 220 included in the data restoration device 20 is included in the distributed values U ′ ₁ (A),..., U ′ _M (A) among the distributed values T ₁ (C) _,. the M 'number of variance _{T' 1 (C), ...} , T 'M' to (C), the dispersion value D _'1, ..., D' is extracted as _{M '.} Further, the dispersion value _{T N-M + 1 (C} ), ..., T N variance U of _{(C) '1 (A)} , ..., U' M-M included in the _M (A) 'number of dispersion The values T ′ _{M ′ + 1} (C),..., T ′ _M (C) are extracted as the divided values C ′ _{0 ,.}

When the divided ciphertext interpolation unit 230 included in the data restoration device 20 does not include any of the divided values C ₀ ,..., C _{M−1 in} the divided values C ′ _{0 ,.} , the dispersion value _{D '1, ..., D'} M ' and the divided value C' _0, ..., with C _'M-M'-1, divided value C _0, ..., interpolates the C _M-1 (S231, S232). When all of the divided values C ₀ ,..., C _M-1 are included in the divided values C ′ ₀ ,..., C ′ _M-M′−1 , the process of S232 is omitted and the process proceeds to S240. Proceed (S231). More specifically, the above polynomial g (x) is converted into M−M ′ divided values C _i (1 ≦ i ≦ M) included in the divided values C ′ ₀ ,..., C ′ _{M−M′−1.} -1) is a constant, and M 'divided values C _j (1 ≤ j ≤ M-1) not included in the divided values C' ₀ , ..., C '_M-M'-1 are used as variables and the variance value D _'1, ..., D' the number of equations _'M by substituting each x which was determined' _{to M,} by solving the simultaneous equations, dividing values C _0, ..., interpolates the C _M-1. For example, if M variance values U _i (A) (i = 1,..., M ′, N−M + M ′ + 1,..., N) are selected, C _{0 ,.} the _-M'-1 and the constant, C _{M-M ',} ..., a C _M-1 as a variable, by solving the following simultaneous equations, dividing value C _M-M', ..., determine the C _M-1.

The ciphertext combining unit 240 included in the data restoration apparatus 20 combines the divided values C ₀ ,..., C _M-1 to obtain the ciphertext C (S240). The combination method used here corresponds to the division method used when the ciphertext C is divided into M divided values C ₀ ,..., C _M-1 in the data distribution processing, as in the conventional secret sharing scheme. It is determined.

Key recovery unit 250 included in the data restoration unit 20, according to a secret sharing scheme, the dispersion value _{U '1 (A), ...} , U' variance value included in _{M (A) S '1 (} SK), ..., S' _The secret key SK is restored from _M (SK) (S250). The secret sharing scheme used here is the secret sharing scheme used when the secret key SK is distributed to the distributed values S ₁ (SK), ..., S _N (SK) in the data distribution processing, as in the conventional secret sharing scheme. is there.

  The decryption unit 260 included in the data restoration device 20 decrypts the ciphertext C using the secret key SK to obtain plaintext A (S260). Similar to the conventional secret sharing scheme, the decryption method uses the encryption scheme used when ciphertext C is generated by encrypting plaintext A using the secret key SK in data distribution processing.

<Features of First Embodiment>
With reference to FIG. 9, the principle of data distribution processing by the secret sharing system 1 according to the first embodiment will be described. The difference from the conventional secret sharing scheme is the process of generating _N distributed values T ₁ (C),..., T _N (C) from _M divided values C ₀ ,. . First, M divided values C ₀ ,..., C _M-1 are distributed to NM distributed values D ₁ ,..., D _NM using an information propagation algorithm. See above and reference 1 for details on the information propagation algorithm. Next, the dispersion values D ₁ ,..., D _NM are set as dispersion values T ₁ (C) _,. Further, the divided value C _0, ..., C variance value _{M-1 T N-M +} 1 (C), ..., and T _N (C).

With reference to FIG. 10, the principle of the data restoration process by the secret sharing system 1 according to the first embodiment will be described. The difference from the conventional secret distribution method, M pieces of variance _{T '1 (C), ...} , T' M (C) from the M division value C _0, ..., the processing for restoring the C _M-1 It is. Of the variance values T ′ ₁ (C),..., T ′ _M (C), the value corresponding to the variance values T ₁ (C),…, T _NM (C) is M ′ variance values T ′ ₁ (C ), ..., T '_M' (C), and the variance values T ' ₁ (C), ..., T' _{M '} (C) are extracted as variance values D' ₁ , ..., D '_M' . . Moreover, variance _{T '1 (C), ...} , T' M (C) dispersion value _{T N-M + 1 (C} ) of, ..., T _N (C) values corresponding to the M-M 'number the variance _{T 'M' + 1 (C} ), ..., ' as a _M (C), variance _{T' T M '+ 1 (} C), ..., T' M a (C), divided value C Extract as' ₀ , ..., _C'M-M'-1 .

Division value _{C 0, ..., C M-} 1 of all split values C _'0, ..., C' when included in the _M-M'-1 is divided value _{C 0, ..., C M-} 1 To obtain ciphertext C. If any of the divided values C ₀ ,..., C _M-1 is not included in the divided values C ′ ₀ ,..., C ′ _M-M′−1 , the distributed values D ′ _{1 ,. 'a} division value C' _0, ..., with C _'M-M'-1, divided value C _0, ..., on which interpolates the C _M-1, divided value _{C 0, ..., C M-} 1 To obtain ciphertext C.

As described above, in the secret sharing system 1 according to the first embodiment, the divided value C, which is a value obtained by dividing the ciphertext C into a part of the _N distributed values U ₁ (A),..., U _N (A). ₀ , ..., C _M-1 is held. Accordingly, M number of variance values U arbitrarily selected _{'1 (A), ...,} U' M (A) to the division value C _0, ..., when the C _M-1 is included all split values C _0, ..., there is no need to perform processing for restoring the C _M-1. Therefore, the amount of calculation in the data restoration process can be reduced.

Further, even if partial data of the ciphertext C is obtained from the divided values C ₀ ,..., C _M−1 , it is encrypted using the secret key SK and a part of the plaintext A is not obtained. Absent. Therefore, the confidentiality of plaintext A is not impaired.

Furthermore, since the NM distributed values D ₁ ,..., D _NM are generated using the information propagation algorithm using the divided values C ₀ ,..., C _M−1 , the selected M distributed values U ' ₁ (A), ..., U' _M (A) does not contain any of the divided values C ₀ , ..., C _M-1 , even if the variance values D ' ₁ , ..., D' _{M 'and} the divided value C' _0, ..., with C _'M-M'-1, divided value C _0, ..., it is possible to interpolate C _M-1. Accordingly, N number of variance values _{U 1 (A), ...,} U N (A) M number of variance values U arbitrarily selected from _{'1 (A), ...,} U' plaintext using _M (A) A Can be restored.

[Second Embodiment]
The secret sharing system 2 according to the second embodiment of the present invention is a configuration example when the present invention is applied to the secret sharing scheme described in Non-Patent Document 3.

<Configuration>
A configuration example of the secret sharing system 2 will be described in detail with reference to FIG. The secret sharing system 2 includes a data sharing device 11, a data restoration device 21, at least N data storage devices 30, and a network 90. The data distribution device 11, the data restoration device 21, and the data storage devices 30 ₁ to 30 _N are connected to the network 90. The network 90 may be configured so that the data distribution device 11 and the data storage devices 30 ₁ to 30 _N can communicate with each other, and the data restoration device 21 and the data storage devices 30 ₁ to 30 _N can communicate with each other. For example, it can be configured by the Internet, LAN, WAN, or the like. The data distribution device 11 and the data storage devices 30 ₁ to 30 _N , and the data restoration device 21 and the data storage devices 30 ₁ to 30 _N do not necessarily need to be able to communicate online via a network. For example, the information output from the data distribution device 11 may be stored in a portable medium such as a USB memory, and input from the portable medium to the data storage devices 30 ₁ to 30 _N offline. Similarly, the information output from the data storage devices 30 ₁ to 30 _N may be stored in a portable medium such as a USB memory, and input from the portable medium to the data restoration device 21 offline.

  With reference to FIG. 12, a configuration example of the data sharing apparatus 11 included in the secret sharing system 2 will be described in detail. Similar to the data distribution apparatus 10 according to the first embodiment, the data distribution apparatus 11 includes a ciphertext division unit 120, a ciphertext distribution unit 130, and a distributed value distribution unit 160. An encryption unit 111 is provided instead of the encryption unit 110, a key distribution unit 141 is provided instead of the key distribution unit 140, and a distributed value generation unit 151 is provided instead of the distributed value generation unit 150. Therefore, the difference between the data distribution device 11 and the data distribution device 10 is that the processes of the encryption unit, the key distribution unit, and the distributed value generation unit are different.

  With reference to FIG. 13, a configuration example of the data restoration device 21 included in the secret sharing system 2 will be described in detail. Similar to the data restoration device 20 according to the first embodiment, the data restoration device 21 includes a distributed value selection unit 210, a divided ciphertext extraction unit 220, a divided ciphertext interpolation unit 230, and a ciphertext combination unit 240. A key recovery unit 251 is provided instead of the key recovery unit 250, and a decryption unit 261 is provided instead of the decryption unit 260. Therefore, the difference between the data restoration device 20 and the data restoration device 21 is that the processes of the key restoration unit and the decryption unit are different.

<Data distribution processing>
The encryption unit 111 included in the data distribution device 11 generates _M−1 fixed-length random numbers R ₁ ,..., R _M−1 . Next, the random number R _1, ..., a pseudo-random number V (R ₁₎ a R _M-1 is an integer of 0 or more and less than p to seed, ..., and generates a V (R _M-1). However, p is a prime number greater than or equal to N, which is larger than plaintext A. And the polynomial h (x) is a one-variable M-1 degree equation where h (0) = A and h (i) = V (R _i ) (i = 1,..., M-1). , H (M) mod p is generated to generate a ciphertext C.

The key distribution unit 141 included in the data distribution apparatus 11, in accordance with any secret sharing scheme, the random number R _1, ..., variance value of N to R _M-1, respectively _{S 1 (R i), ...} , S N (R i ) (i = 1,..., M-1). As the secret sharing scheme used here, any known secret sharing scheme can be used similarly to the conventional secret sharing scheme. For example, the secret sharing schemes described in Non-Patent Documents 1 to 3 can be used.

The variance value generation unit 151 included in the data distribution device 11 uses the variance values D ₁ ,..., D _NM as the variance values T ₁ (C),..., T _NM (C), and the divided values C _{0 ,. Let 1} be the variance value T _{N-M + 1} (C),..., T _N (C). Then, i = 1, ..., the N, variance T _i (C) and the dispersion value _{S i (R 1), ...} , S i (R M-1) in the set variance value U _i (A) = generate _{(T i (C), S} i (R 1), ..., S i (R M-1)), N pieces of variance U ₁ (a), ..., and U _N (a).

<Data restoration processing>
The key recovery unit 251 included in the data recovery device 21 has M distributed values U ′ ₁ (arbitrarily selected from _N distributed values U ₁ (A),..., U _N (A) according to a secret sharing scheme. _{a), ..., U 'M} ( dispersion value S contained in _{a)' 1 (R i)} , ..., S 'N (R i) (i = 1, ..., a M-1), the random number R _1, …, _RM-1 is restored respectively. The secret sharing scheme used here is the same as the conventional secret sharing scheme. In the data sharing process, random numbers R ₁ ,..., R _M-1 are used as the distributed values S ₁ (R _i ), ..., S _N (R _i ) (i = 1, ..., M-1).

Decoding unit 261 included in the data restoration unit 21, the random number R _1, ..., quasi from R _M-1 random V (R _1), ..., and generates a V (R _M-1). Then, by obtaining h (0) from h (i) = V (R _i ) (i = 1,..., M−1) and h (M) = C, plaintext A is obtained.

<Features of Second Embodiment>
With reference to FIG. 14, the principle of data distribution processing by the secret sharing system 2 according to the second embodiment will be described. The difference from the first embodiment is a process for encrypting plaintext A into ciphertext C and a process for generating distributed values U ₁ (A),..., U _N (A). Processing of encrypting the ciphertext C plaintext A is, M-1 random numbers R _1, ..., a pseudo-random number V as a seed each _{R M-1 (R 1)} , ..., V (R M-1) Is generated. Then, the plaintext A is encrypted using the pseudo random numbers V (R ₁ ),..., V (R _M-1 ) as a secret key to generate a ciphertext C. The process of generating the variance values U ₁ (A),..., U _N (A) is performed by assigning random numbers R _i (i = 1,..., M−1) to N variance values S ₁ (R _i ),. , S _N (R _i ) (i = 1,..., M−1). Then, the random number _{R 1, ..., R M-} 1 of the variance values comprises one by 1 M-1 pieces of variance _{S i (R 1), ...} , and set the _{S i (R M-1)} , further encryption N variance values U ₁ (A),..., U _N (A) are generated in combination with the variance value T _i (C) of the sentence C.

With reference to FIG. 15, the principle of data restoration processing by the secret sharing system 2 according to the second embodiment will be described. The difference from the first embodiment is a process for restoring the secret key and a process for obtaining the plaintext A by decrypting the ciphertext C. Processing for restoring the private key, M-number of the dispersion value _{U '1 (A), ...} , U' from _M (A), the random number _{R 1, ..., R M-} 1 of the variance S _'i (R ₁ ), ..., S ' _i (R _M-1 ) (i = 1, ..., M) and extract M variance values S' ₁ (R _{i for} i = 1, ..., M-1 ),..., S ′ _M (R _i ) restores the random number R _i . Process of obtaining the plaintext A by decrypting the ciphertext C is restored M-1 random numbers R _1, ..., a pseudo-random number V as a seed each _{R M-1 (R 1)} , ..., V (R M _-1 ) is generated. Then, the ciphertext C is decrypted using the pseudorandom numbers V (R ₁ ),..., V (R _M−1 ) as secret keys to obtain plaintext A.

  As described above, according to the secret sharing system 2 according to the second embodiment, even in the computational short secret sharing scheme applicable to the multi-party calculation described in Non-Patent Document 3, the secret sharing according to the first embodiment is performed. Similar to the system 1, it is possible to reduce the amount of calculation in the data restoration process of the secret sharing scheme.

[Third Embodiment]
The secret sharing system 3 according to the third embodiment of the present invention is a configuration example using polynomials linearly combined by exclusive OR operation. In the data distribution process, a distributed value of the ciphertext C is generated using the polynomial. In the data restoration process, the variance value of the ciphertext C is interpolated using the polynomial.

<Configuration>
A configuration example of the secret sharing system 3 will be described in detail with reference to FIG. The secret sharing system 3 includes a data sharing device 12, a data restoration device 22, at least N data storage devices 30, and a network 90. The data distribution device 12, the data restoration device 22, and the data storage devices 30 ₁ to 30 _N are connected to the network 90. The network 90 may be configured so that the data distribution device 12 and the data storage devices 30 ₁ to 30 _N can communicate with each other, and the data restoration device 22 and the data storage devices 30 ₁ to 30 _N can communicate with each other. For example, it can be configured by the Internet, LAN, WAN, or the like. The data distribution device 12 and the data storage devices 30 ₁ to 30 _N , and the data restoration device 22 and the data storage devices 30 ₁ to 30 _N do not necessarily need to be able to communicate online via a network. For example, the information output from the data distribution device 12 may be stored in a portable medium such as a USB memory, and input from the portable medium to the data storage devices 30 ₁ to 30 _N offline. Similarly, the information output from the data storage devices 30 ₁ to 30 _N may be stored in a portable medium such as a USB memory, and input from the portable medium to the data restoration device 22 offline.

  A configuration example of the data distribution device 12 included in the secret sharing system 3 will be described in detail with reference to FIG. Similar to the data distribution apparatus 10 according to the first embodiment, the data distribution apparatus 12 includes a ciphertext division unit 120 and a distributed value distribution unit 160. An encryption unit 112 is provided instead of the encryption unit 110, a ciphertext distribution unit 131 is provided instead of the ciphertext distribution unit 130, a key distribution unit 142 is provided instead of the key distribution unit 140, and the distributed value generation unit 150 Instead, a variance value generation unit 152 is provided. Therefore, the difference between the data distribution device 12 and the data distribution device 10 is that the processes of the encryption unit, the ciphertext distribution unit, the key distribution unit, and the distributed value generation unit are different.

  With reference to FIG. 18, a configuration example of the data restoration device 22 included in the secret sharing system 3 will be described in detail. Similar to the data restoration device 20 according to the first embodiment, the data restoration device 22 includes a distributed value selection unit 210, a divided ciphertext extraction unit 220, and a ciphertext combination unit 240. A split ciphertext interpolation unit 231 is provided instead of the split ciphertext interpolation unit 230, a key recovery unit 252 is provided instead of the key recovery unit 250, and a decryption unit 262 is provided instead of the decryption unit 260. Therefore, the difference between the data restoration device 20 and the data restoration device 22 is that the processes of the divided ciphertext interpolation unit, the key restoration unit, and the decryption unit are different.

<Data distribution processing>
In this embodiment, the secret key SK is secret keys SK ₁ and SK ₂ , and the bit length of the plaintext A is n bits. The secret keys SK ₁ and SK ₂ are randomly generated. Here, a case where N = 3 and M = 2 will be described as an example.

The encryption unit 112 included in the data distribution device 12 generates an n-bit hash value H from the secret keys SK ₁ and SK ₂ . Any known hash function can be used to generate the hash value. Specifically, for example, SHA-1 or MD5 can be applied. For example, H = Hash (SK ₁ || SK ₂ || 1) || Hash (SK ₁ || SK ₂ || 2) ||… || Hash (SK ₁ || SK ₂ || K) Generate a value. Here, K is the smallest integer with which H is n bits or more, Hash is a hash function, and || is data concatenation. In this way, the hash value H cannot be calculated unless both the secret keys SK ₁ and SK ₂ are known. Then, the ciphertext C is generated by calculating the exclusive OR of the plaintext A and the hash value H by the following formula.

Ciphertext distribution unit 131 included in the data distribution apparatus 12, the upper n / 2 bits of the ciphertext C and the dividing value C _0, the lower n / 2 bits and the divided value C _1. Then, the variance value D ₁ is generated by calculating the exclusive OR operation of the division value C ₀ and the division value C ₁ by the following formula.

The key distribution unit 142 included in the data distribution device 12 generates SK ₃ by calculating an exclusive OR operation between the secret key SK ₁ and the secret key SK _{2 according to} the following equation.

The variance value generation unit 152 included in the data distribution device 12 generates variance values U ₁ (A),..., U ₃ (A) as shown in the following equation.

<Data restoration processing>
Division ciphertext interpolation section 231 included in the data restoration unit 22, division value _{C '0, ..., C'} M-M'-1 and the dispersion value D _'1, ..., D' an exclusive OR of the _{M '} By dividing, the divided values C ₀ ,..., C _M−1 are interpolated. For example, the dispersion value U ₁ (A) and the dispersion value U ₂ (A) is when it is selected, following the formula and the dispersion value D ₁ included in the dispersion value U ₁ (A) variance U ₂ (A The division value C ₁ can be obtained by calculating an exclusive OR with the division value C ₀ included in ().

The key recovery unit 252 included in the data recovery device 22 calculates the exclusive OR of the secret keys SK ₁ and SK ₃ or the secret keys SK ₂ and SK ₃ . For example, when the variance value U ₂ (A) and the variance value U ₃ (A) are selected, the secret key SK ₂ included in the variance value U ₂ (A) and the variance value U ₃ (A The secret key SK ₁ can be obtained by calculating an exclusive OR with SK ₃ included in ().

The decryption unit 262 included in the data restoration device 22 generates an n-bit hash value H from the restored secret keys SK ₁ and SK ₂ . The hash value is generated using the same hash function as the hash function used by the encryption unit 112 included in the data distribution device 12. Then, the plaintext A is generated by calculating the exclusive OR of the ciphertext C and the hash value H by the following formula.

  In the above description, the case where the total number of variance values is N = 3 and the minimum number of variance values required for restoration is M = 2 has been described. can do.

<Features of Third Embodiment>
With reference to FIG. 19, the principle of data distribution processing by the secret sharing system 3 according to the third embodiment will be described. Here, for simplicity, the case of N = 3 and M = 2 is shown as an example. Differences from the first embodiment, the division value C _0, ..., dispersion value D ₁ from the C _M-1, ..., a process for generating a D _NM. First, the ciphertext C is divided to generate divided values C ₀ and C ₁ . Next, a variance value D ₁ is generated by calculating an exclusive OR of the division value C ₀ and the division value C ₁ . Then, the dispersion value D ₁ to the dispersion value T _1, the division value C ₀ to the dispersion value T _2, respectively set cutoff value C ₁ to the dispersion value T _3.

With reference to FIG. 20, the principle of data restoration processing by the secret sharing system 3 according to the third embodiment will be described. FIG. 20A shows a case where all the divided values C ₀ and C _{1 obtained} by dividing the ciphertext C are selected. In this case, the ciphertext C can be obtained by combining the divided values C ₀ and C ₁ in a predetermined order. FIG. 20B shows a case where the divided value C ₁ is not obtained among the divided values C ₀ and C ₁ obtained by dividing the ciphertext C. In this case, the exclusive dispersion value D ₁ is the logical sum of the division value C ₀ instead of the division value C ₁ which can not be obtained division value C ₁ is obtained. Therefore, the division value C ₁ can be obtained by calculating the exclusive OR of the variance value D ₁ and the division value C ₀ . Then, the ciphertext C can be obtained by combining the division value C ₀ and the division value C ₁ in a predetermined order.

The confidentiality of plaintext A in this embodiment will be described. First, since the plaintext A is encrypted using the secret keys SK ₁ and SK ₂ , a part of the plaintext A cannot be restored only with the ciphertext C. Further, since the ciphertext C is encrypted using a hash value H generated from the private key SK _1, SK _2, it is only to obtain either a secret key SK _1, SK ₂ to obtain the hash value H Cannot be restored, even part of plaintext A cannot be restored.

Since the distributed values U ₁ (A),..., U ₃ (A) include the divided values C ₀ and C ₁ obtained by dividing the ciphertext C, if all the divided values C ₀ and C ₁ can be obtained, The ciphertext C can be obtained only by combining them. Therefore, also in this embodiment, it is possible to reduce the calculation amount of the data restoration processing of the secret sharing scheme.

[Program, recording medium]
The present invention is not limited to the above-described embodiment, and it goes without saying that modifications can be made as appropriate without departing from the spirit of the present invention. The various processes described in the above-described embodiments are not only executed in time series according to the order described, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  When various processing functions in each device described in the above embodiment are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

1, 2, 3 Secret sharing system 10, 11, 12 Data distribution device 20, 21, 22 Data restoration device 30 ₁ to 30 _N Data storage device 90 Network 110, 111, 112 Encryption unit 120 Ciphertext division unit 130, 131 Ciphertext distribution unit 140, 141, 142 Key distribution unit 150, 151, 152 Distributed value generation unit 160 Distributed value distribution unit 210 Distributed value selection unit 220 Split ciphertext extraction unit 230, 231 Split ciphertext interpolation unit 240 Ciphertext combination unit 250, 251, 252 Key restoration unit 260, 261, 262 Decryption unit 310 Distributed value storage unit

Claims (6)

A secret sharing system including a data distribution device and a data restoration device,
M and N are integers of 2 or more, M ′ is an integer of 0 or more, and M ′ ≦ M < N.
The data distribution device includes:
An encryption unit that encrypts plaintext A using a secret key SK and generates ciphertext C;
A ciphertext dividing unit that divides the ciphertext C into M divided values C ₀ ,..., C _M−1 ;
By calculating a polynomial g (x) defined by the following equation for each of x = 1,..., NM, a ciphertext distribution unit that generates _NM distributed values D _{1 ,.}

The original data can be recovered by using M or more of the N distributed values, and the secret key SK is set to N according to a secret sharing scheme in which the original data cannot be recovered from less than M distributed values . A key distribution unit distributed to distributed values S ₁ (SK),..., S _N (SK);
The dispersion value D _1, ..., D _NM variance value T ₁ (C), ..., and T _NM (C), the divided value _{C 0, ..., C M-} 1 dispersion value T _{NM + 1} ( C), ..., and T _N (C), the dispersion value _{T i (C) (i =} 1, ..., N) and variance _{S i (SK) (i =} 1, ..., N) in the set minute A variance value generation unit for generating a variance U ₁ (A),..., U _N (A);
With
The data restoration device includes:
M ′ are M dispersion values U ′ arbitrarily selected from the dispersion values U ₁ (A),..., U _N (A) among the dispersion values T ₁ (C) _{,. 1} (a), ..., and the number of those contained in U _'M (a),
'If> 0, the dispersion value T ₁ (C), ..., the dispersion value U of _{T NM (C)' M 1} (A), ..., number 'M included in _M (A)' to U the variance _{T '1 (C), ...} , T' M '(C) a dispersion value D' _1, ..., extracted as D _'M',
'If> 0, the dispersion value _{T N-M + 1 (C} ), ..., the dispersion value of _{T N (C) U' M} -M 1 (A), ..., U 'M (A) , M ′ M variance values T ′ _{M ′ + 1} (C),..., T ′ _M (C) included in the data are extracted as divided values C ′ _{0 ,.} A ciphertext extraction unit;
The division value _{C 0, ..., C M-} 1 of either the divided value C _'0, ..., C' if not included in _M-M'-1, the polynomial g a (x), wherein The division values C ′ ₀ ,..., C ′ _M−M′−1 include M−M ′ division values C _i (1 ≦ i ≦ M−1) as constants, and the division values C ′ ₀ ,. , C ′ _M−M′−1 , M ′ divided values C _j (1 ≦ j ≦ M−1) are used as variables, and the variance values D ′ ₁ ,..., D ′ _{M ′} are obtained. a divided ciphertext interpolating unit for interpolating the divided values C ₀ ,..., C _M-1 by solving as a simultaneous equation consisting of M ′ equations into which x is substituted ;
A ciphertext combining unit that combines the divided values C ₀ ,..., C _M-1 to obtain the ciphertext C;
According to the secret sharing scheme, the dispersion value _{U '1 (A), ...} , U' M variance S contained in _{(A) '1 (SK)} , ..., S' from _M (SK), the secret key SK A key recovery unit for recovering
Decrypting the ciphertext C using the secret key SK, and obtaining the plaintext A;
A secret sharing system comprising: The secret sharing system according to claim 1 ,
p is a prime number greater than N greater than the plaintext A,
The encryption unit is
R ₁ , ..., R _M-1 is a fixed-length random number, and V (R ₁ ), ..., V (R _M-1 ) is 0 or more p using the random numbers R ₁ , ..., R _M-1 as seeds. A pseudo-random number that is an integer less than or equal to h (x) is a polynomial with h (0) = A and h (i) = V (R _i ) (i = 1,..., M−1), and h (M) Generate the ciphertext C by calculating mod p,
The key distribution unit
According to a predetermined secret sharing scheme, each of the random numbers R ₁ ,..., R _{M-1 is} divided into N distributed values S ₁ (R _i ),..., S _N (R _i ) (i = 1,. )
The variance value generation unit
The dispersion values T _i (C) (i = 1,..., N) and the dispersion values S _i (R ₁ ),..., S _i (R _M-1 ) (i = 1,. To generate the variance values U ₁ (A),..., U _N (A),
The key recovery unit
According to the secret sharing scheme, the dispersion value _{U '1 (A), ...} , U' M variance _{S '1 (R i),} ..., S' contained in the _{(A) N (R i)} (i = 1 , ..., M-1) to restore the random numbers R ₁ , ..., R _M-1 respectively,
The decoding unit
The pseudo random numbers V (R ₁ ), ..., V (R _M-1 ) are generated from the random numbers R ₁ , ..., R _M-1 , and h (i) = V (R _i ) (i = 1, ... , M−1) and h (M) = C to obtain h (0), thereby obtaining the plaintext A. M and N are integers of 2 or more, and M < N.
An encryption unit that encrypts plaintext A using a secret key SK and generates ciphertext C;
A ciphertext dividing unit that divides the ciphertext C into M divided values C ₀ ,..., C _M−1 ;
By calculating a polynomial g (x) defined by the following equation for each of x = 1,..., NM, a ciphertext distribution unit that generates _NM distributed values D _{1 ,.}

The original data can be recovered by using M or more of the N distributed values, and the secret key SK is set to N according to a secret sharing scheme in which the original data cannot be recovered from less than M distributed values . A key distribution unit distributed to distributed values S ₁ (SK),..., S _N (SK);
The dispersion value D _1, ..., D _NM variance value T ₁ (C), ..., and T _NM (C), the divided value _{C 0, ..., C M-} 1 dispersion value T _{NM + 1} ( C), ..., and T _N (C), the dispersion value _{T i (C) (i =} 1, ..., N) and variance _{S i (SK) (i =} 1, ..., N) in the set minute A variance value generation unit for generating a variance U ₁ (A),..., U _N (A);
A data distribution apparatus comprising: M and N are integers of 2 or more, M ′ is an integer of 0 or more, and M ′ ≦ M < N.
The divided values C ₀ , ..., C _M-1 obtained by dividing the ciphertext C obtained by encrypting the plaintext A using the secret key SK are set as the distributed values T _{N-M + 1} (C), ..., T _N (C). , polynomial g (x) of x = 1 is defined by the following equation, ..., dispersion value D ₁ generated by calculating respectively for NM, ..., D _NM variance value _{T 1 (C), ...,} T NM (C)

The original data can be restored by using M or more of the N distributed values, and the secret key SK is distributed according to a secret sharing scheme in which the original data cannot be restored from less than M distributed values. Variance value S ₁ (SK), ..., S _N (SK), variance value T _i (C) (i = 1, ..., N) and variance value S _i (SK) (i = 1, ..., N) the dispersion value U ₁ that was set _{(a), ..., U N} (a) dispersion value of M variance values arbitrarily selected from _{U '1 (a), ...} , U' and _M (a),
'Said dispersion value _{T 1 (C), ...,} T NM the dispersion value U of _{(C)' M 1 (A} ), ..., and the number of those contained in U _'M (A),
'If> 0, the dispersion value T ₁ (C), ..., the dispersion value U of _{T NM (C)' M 1} (A), ..., number 'M included in _M (A)' to U the variance _{T '1 (C), ...} , T' M '(C) a dispersion value D' _1, ..., extracted as D _'M',
'If> 0, the dispersion value _{T N-M + 1 (C} ), ..., the dispersion value of _{T N (C) U' M} -M 1 (A), ..., U 'M (A) , M ′ M variance values T ′ _{M ′ + 1} (C),..., T ′ _M (C) included in the data are extracted as divided values C ′ _{0 ,.} A ciphertext extraction unit;
The division value _{C 0, ..., C M-} 1 of either the divided value C _'0, ..., C' if not included in _M-M'-1, the polynomial g a (x), wherein The division values C ′ ₀ ,..., C ′ _M−M′−1 include M−M ′ division values C _i (1 ≦ i ≦ M−1) as constants, and the division values C ′ ₀ ,. , C ′ _M−M′−1 , M ′ divided values C _j (1 ≦ j ≦ M−1) are used as variables, and the variance values D ′ ₁ ,..., D ′ _{M ′} are obtained. a divided ciphertext interpolating unit for interpolating the divided values C ₀ ,..., C _M-1 by solving as a simultaneous equation consisting of M ′ equations into which x is substituted ;
A ciphertext combining unit that combines the divided values C ₀ ,..., C _M-1 to obtain the ciphertext C;
According to the secret sharing scheme, the dispersion value _{U '1 (A), ...} , U' M variance S contained in _{(A) '1 (SK)} , ..., S' from _M (SK), the secret key SK A key recovery unit for recovering
Decrypting the ciphertext C using the secret key SK, and obtaining the plaintext A;
A data restoration device comprising: M and N are integers of 2 or more, M ′ is an integer of 0 or more, and M ′ ≦ M < N.
An encryption step in which the data distribution device encrypts plaintext A using a secret key SK to generate ciphertext C;
A ciphertext dividing step in which the data distribution device divides the ciphertext C into M divided values C ₀ , ..., C _M-1 ;
The data distribution device generates _NM distributed values D ₁ ,..., D _NM by calculating a polynomial g (x) defined by the following equation for x = 1 _,. Steps,

The data distribution apparatus can restore the original data by using M or more of the N distribution values, and the secret distribution method cannot restore the original data from less than M distribution values. A key distribution step for distributing the key SK to N distributed values S ₁ (SK),..., S _N (SK);
The data distribution apparatus, the dispersion value D _1, ..., D _NM variance value T ₁ (C), ..., and T _NM (C), the divided value C _0, ..., a C _M-1 dispersion value T _{N-M + 1} (C), ..., T _N (C), dispersion value T _i (C) (i = 1, ..., N) and dispersion value S _i (SK) (i = 1, ..., N ) was a set amount Chichi U ₁ (a), ..., a dispersion value generating step of generating U _N (a),
The data restoration device has M ′ arbitrarily selected from the dispersion values U ₁ (A),..., U _N (A) among the dispersion values T ₁ (C) _,. dispersion value _{U '1 (a), ...} , U' and the number of those included in _M (a),
'If> 0, the dispersion value T ₁ (C), ..., the dispersion value U of _{T NM (C)' M 1} (A), ..., number 'M included in _M (A)' to U the variance _{T '1 (C), ...} , T' M '(C) a dispersion value D' _1, ..., extracted as D _'M',
'If> 0, the dispersion value _{T N-M + 1 (C} ), ..., the dispersion value of _{T N (C) U' M} -M 1 (A), ..., U 'M (A) , M ′ M variance values T ′ _{M ′ + 1} (C),..., T ′ _M (C) included in the data are extracted as divided values C ′ _{0 ,.} A ciphertext extraction step;
Wherein the data restoration device, the divided value _{C 0, ..., C M-} 1 of either the divided value C _'0, ..., C' if not included in _M-M'-1, the polynomial g (x) is defined by using M−M ′ divided values C _i (1 ≦ i ≦ M−1) included in the divided values C ′ ₀ ,..., C ′ _M−M′−1 as constants. the value C _'0, ..., C' not included in the _{M-M'-1 M} 'number of divided values C _j a (1 ≦ j ≦ M-1 ) as a variable, the dispersion value D' _1, ..., D A divided ciphertext interpolation step for interpolating the divided values C ₀ ,..., C _M-1 by solving as a simultaneous equation consisting of M 'equations substituting each of x obtained for ' _{M '} ;
A ciphertext combining step in which the data restoration device obtains the ciphertext C by combining the divided values C ₀ ,..., C _M-1 ;
The data restoration apparatus according to the secret sharing scheme, the dispersion value _{U '1 (A), ...} , U' variance S included in _{M (A) '1 (SK} ), ..., S' M (SK) From the key recovery step of recovering the secret key SK,
The data restoration device decrypts the ciphertext C using the secret key SK, and obtains the plaintext A; and
A secret sharing method characterized by comprising:   A program for causing a computer to be described as the data distribution device according to claim 3 or the data restoration device according to claim 4.

Images