JP6997696B2 - Secret sharing device, secret sharing system, and secret sharing method - Google Patents

Description

The present invention relates to a secret sharing device, a secret sharing system, and a secret sharing method.

As a typical example of the secret sharing method, there is a (k, n) threshold secret sharing method devised by Shamir. Shamir's (k, n) threshold secret sharing method distributes secret information (original data) into n nonsensical distributed data and collects k or more distributed data out of n distributed data. It is a method that can restore confidential information (original data).

However, since Shamir's (k, n) threshold secret sharing method realizes secret information distribution processing and restoration processing by polynomial interpolation, which is a complicated process, it is often used for secret sharing a large amount of data. Requires the amount of calculation.

Therefore, Japanese Patent Application Laid-Open No. 2007-124032 (Patent Document 1) is available as a background technique of the (2, n) secret sharing method realized only by an exclusive OR operation which is a simple process. In this publication, "the secret information S of the storage unit 11 is divided to generate n-1 first divided secret data K (1), ..., K (j), ..., K (n-1). , Zero-valued split secret data K (0) is generated, and n-1 random data R (0), ..., R (i), ..., R (n-) having the same size as each split secret data, for example. 2) is generated, and n (n-1) pieces are generated based on the divided secret data K (0), ..., K (n-1) and the random number data R (0), ..., R (n-2). Distributed partial data D (j, i) = K (j−i (mod n)) (+) R (i) is calculated ((+) is an exclusive logical sum), and the variances have the same row number j. N pieces of distributed information D (0), ..., D (j), ..., D (n-1) having partial data D (j, 0) to D (j, n-2) are individually n pieces. It is distributed to the storage device. Of these, the secret information S can be restored based on any two distributed information D (i) and D (j). ”(See summary).

Japanese Unexamined Patent Publication No. 2007-124032

However, the technique described in Patent Document 1 cannot determine whether the distributed data is correct when the distributed data is corrupted or when a third party intentionally falsifies the correct distributed data. .. Therefore, one aspect of the present invention is to generate distributed data that can be confirmed to be correct data in secret sharing with a small amount of calculation.

In order to solve the above problems, one aspect of the present invention adopts the following configuration. The secret sharing device includes a processor and a storage device, the storage device holds secret data and public parameters, and the processor divides the secret data, and the divided secret data and a plurality of secret data. A plurality of partially distributed data are generated based on the exclusive logical sum of the first random number group consisting of random numbers, and obtained from the hash value of the secret data by a predetermined hash function and the random number of the first random number group. The hash value of the first value by the predetermined hash function and the hash value of each of the plurality of partially distributed data by the predetermined hash function are calculated, and for each of the plurality of partially distributed data, the secret data of the secret data is calculated. A first function consisting of a value obtained by substituting the partial distribution data into a first function having a hash value and a hash value of the first value as a coefficient or a constant term, and a random number not included in the first random number group. 2 Addition distribution data including a value obtained by substituting the partial distribution data into a second function having a random number of a random number group as a coefficient or a constant term is added to the partial distribution data to generate distribution data. , The second value calculated based on the public parameter, the hash value of the secret data, and the first random number included in the second random number group by outputting each of the distributed data to different output destinations, and the above. A secret distribution device that includes the public parameter, the hash value of the first value, and the third value calculated based on the second random number included in the second random number group in the verification data of the distributed data. ..

According to one aspect of the present invention, in secret sharing, distributed data that can be confirmed to be correct data can be generated with a small amount of calculation.

Issues, configurations and effects other than those described above will be clarified by the following description of the embodiments.

It is a block diagram which shows the whole structure example of the secret sharing system in Example 1. FIG. It is a block diagram which shows the configuration example of the computer in Example 1. FIG. It is a sequence diagram which shows an example of the whole processing of secret data distribution in Example 1. It is a sequence diagram which shows an example of the restoration processing by the whole secret sharing system in Example 1. FIG. It is a flowchart which shows an example of the details of the decentralization processing of a secret information in Example 1. FIG. It is a flowchart which shows an example of the storage process of the distributed data by each storage server in Example 1. FIG. It is a flowchart which shows an example of the details of the restoration process by a client apparatus in Example 1. FIG. It is a table which shows the value of each block of the distributed data distributed to the storage server apparatus in Example 1. It is a table which shows the value of each block of the partial distribution data obtained by deleting the additional distribution data from the distribution data stored in the storage server apparatus in Example 1.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In the present embodiment, the same components are designated by the same reference numerals in principle, and repeated description thereof will be omitted. It should be noted that the present embodiment is merely an example for realizing the present invention and does not limit the technical scope of the present invention.

<System configuration>
FIG. 1 is a block diagram showing an overall configuration example of a secret sharing system. This figure shows an example of the overall configuration of the secret sharing system as well as an example of the functional configuration of each device included in the secret sharing system.

The secret sharing system 1 is, for example, a client device 10, a verification data disclosure device 30, and a plurality of (n units in this embodiment) storage server devices 20 _i (i = 1, 2, ..., N). -1) and, and these are connected to each other via a network 40 such as the Internet.

That is, the secret sharing system 1 is a computer network system in which a client device 10, a storage server device 20 _i , and a verification data disclosure device 30 are communicably connected via a network 40 such as the Internet. The plurality of storage server devices 20 _i may be partially or wholly operated by the same organization, or may be entirely operated by different organizations.

Hereinafter, when it is not necessary to particularly distinguish each part included in the storage server devices 20 ₁ to 20 _n-1 , and the storage server devices 20 ₁ to 20 _n-1 , the description of the storage server device 20 is added. The characters are omitted, or the description is generalized as described in the storage server device _20i .

The client device 10 includes, for example, a communication unit 101, a control unit 102, an input / output unit 103, a distributed data generation unit 104, a data restoration unit 105, and a random number generation unit 106. The communication unit 101 communicates with other devices. The control unit 102 controls the entire client device 10. The input / output unit 103 performs instructions to the client device 10 and input of data and the like, and outputs instructions and data and the like from the client device 10.

The distributed data generation unit 104 distributes the secret information described later to generate the distributed data D (i), and distributes the distributed data D (i) to the storage server device 20 _i , respectively. That is, the client device 10 functions as a secret information distribution device that distributes secret information. Further, the verification data and the disclosure parameter described later are generated and distributed to the verification data disclosure device 30. The data restoration unit 105 collects a necessary number of distributed data (in this embodiment, two normal data that have not been tampered with or damaged) from the storage server device 20 and restores the original confidential information.

The random number generation unit 106 generates random numbers in response to instructions from the distributed data generation unit 104 and the like. Further, the client device 10 holds the secret information 107. The confidential information 107 is data to be concealed by decentralization, and is original data before decentralization.

Each storage server device 20 _i includes a communication unit 201 _i , a storage unit 202 _i , and a verification unit 204 _i . The communication unit 201 _i communicates with another device. The storage unit 202 _i holds the distributed data (D (i)) 203 _i received via the communication unit 201 _i . The verification unit 204 _i verifies whether the received distributed data has been tampered with or damaged.

The verification data disclosure device 30 includes a communication unit 301 _i and a storage unit 302 _i . The communication unit 301 _i communicates with another device. The storage unit 302 _i is, for example, a verification data ((G ₁ , G ₂ )) 303, which will be described later, and a public parameter ((p, g ₁ , g ₂ )) 304, which will be described later, received via the communication unit 301 _i . To hold. The verification data 303 and the public parameter 304 are disclosed in the secret sharing system 1 and are used for the falsification detection process of the distributed data by the client device 10 and the storage server device _20i , the restoration process of the secret information by the client device 10, and the like. ..

FIG. 2 is a block diagram showing a configuration example of the computer 50. The client device 10, the storage server device 20, and the verification data disclosure device 30, respectively, are configured by, for example, the computer shown in FIG. The computer 50 includes, for example, a communication device 501, an input device 502, a memory 503, an auxiliary storage device 504, a CPU (Central Processing Unit) 505, and an output device 506, which are connected to each other via an internal communication line such as a bus 507. It is connected.

The CPU 505 includes a processor and executes a program stored in the memory 503. The memory 503 includes a ROM which is a non-volatile storage element and a RAM which is a volatile storage element. The ROM stores an invariant program (for example, BIOS) and the like. The RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by a processor and data used when the program is executed.

The auxiliary storage device 504 is, for example, a large-capacity non-volatile storage device such as a magnetic storage device (HDD) or a flash memory (SSD), and stores a program executed by the CPU 505 and data used when the program is executed. .. That is, the program is read from the auxiliary storage device 504, loaded into the memory 503, and executed by the CPU 505.

The computer 50 may have an input interface and an output interface. The input interface is an interface to which an input device 502 such as a keyboard or a mouse is connected and receives input from an operator. The output interface is an interface to which an output device 506 such as a liquid crystal display device, an organic EL (Electroluminescence) display device, or a printer is connected, and outputs a program execution result in a format that can be visually recognized by an operator.

The communication device 501 is a network interface device that controls communication with other devices according to a predetermined protocol. For example, the communication unit 101 of the client device 10, the communication unit 201 of the storage server device 20, and the communication unit 301 of the verification data disclosure device 30 are each configured by the communication device 501.

The program executed by the CPU 505 is provided to the computer 50 via a removable medium (CD-ROM, flash memory, etc.) or a network 40, and is stored in a non-volatile auxiliary storage device 504 which is a non-temporary storage medium. Therefore, the computer 50 may have an interface for reading data from removable media.

Each device included in the secret sharing system 1 is a computer system composed of physically one computer or a plurality of computers logically or physically configured, and is separate on the same computer. It may run on a thread of, or it may run on a virtual computer built on multiple physical computer resources.

For example, the control unit 102, the distributed data generation unit 104, the data restoration unit 105, and the random number generation unit 106 of the client device 10 are realized by a program executed by the CPU 505. Specifically, for example, the CPU 505 functions as a control unit 102 by operating according to the control program loaded in the memory 503, and operates according to the distributed data generation program loaded in the memory 503 to generate distributed data. It functions as a unit 104. The same applies to the verification unit 204 of the storage server device 20.

For example, the storage unit 202 _i of the storage server device 20 and the storage unit 302 of the verification data disclosure device 30 are each composed of a part of the storage area included in the memory 503 or the auxiliary storage device 504. Further, for example, the secret information 107 is stored in the memory 503 or the auxiliary storage device 504 of the client device 10.

In the present embodiment, the information used by each device included in the secret sharing system 1 may be represented by any data structure without depending on the data structure. For example, a properly selected data structure from a table, list, database or queue can store the information.

<Processing procedure example>
Hereinafter, an example of the processing in this embodiment will be described. In the various operations corresponding to the secret sharing process described below, each device constituting the secret sharing system 1, that is, the client device 10, the storage server device 20 _i , and the verification data disclosure device 30 each loads into the memory 503 and the like. It is realized by the program to be executed.

First, the decentralization process will be described with reference to FIGS. 3, 5, 6, and 8. FIG. 3 is a sequence diagram showing an example of the entire processing of secret data distribution. The process of FIG. 3 is started, for example, with an instruction from the user of the client device 10 (including information indicating confidential information to be decentralized) as an opportunity.

First, the distributed data generation unit 104 of the client device 10 generates public parameters (p, g ₁ , g ₂ ) (S10), and the communication unit 101 transmits the public parameters to the verification data public device 30 (. S11). Since the public parameter is used for the restoration process of the secret information described later, the distributed data generation unit 104 may store the generated public parameter in the auxiliary storage device 504 of the client device 10.

The verification data publishing device 30 stores the received public parameters (p, g ₁ , g ₂ ) as public parameters 304 in the storage unit 302, and also stores the public parameters 304 for the client device 10 and the storage server device 20. It is disclosed in the secret sharing system 1 (S12). That is, each of the client device 10 and the storage server device 20 can acquire the public parameter 304 from the verification data disclosure device 30 by requesting the verification data disclosure device 30 to acquire the public parameter 304. ..

The value p is a sufficiently large prime number such that q = (p-1) / 2 is a prime number (for example, p is a prime number of 1024 bits or more). Further, the values g ₁ and g ₂ are different elements of the order q of the finite field modulo p, that is, g ₁ , g ₂ ∈ GF (p), ord (g ₁ ) = ord (g ₂ ) = q. Is. The same public parameters (p, g ₁ , g ₂ ) may be used for different secret information, or the public parameters (p, g ₁ , g ₂ ) may be different for each secret information.

The distributed data generation unit 104 of the client device 10 decentralizes the secret information 107 (hereinafter, referred to as the secret information S, if necessary) (S20). The details of the decentralization process in step S20 will be described with reference to FIG.

FIG. 5 is a flowchart showing an example of details of the decentralized processing of the confidential information in step S20. Here, it is assumed that the data length of the secret information S is d × (n-1) (d is a predetermined natural number of 1 or more). If the data length of the secret information S is not divisible by n-1, the distributed data generation unit 104 adjusts the data length so that it is divisible by n-1 by performing padding processing on the secret information S. , It is decided again as confidential information S.

First, the distributed data generation unit 104 decentralizes the secret information S ∈ {0,1} ^{d (n-1)} (S201). Specifically, for example, the distributed data generation unit 104 simply divides the secret information S into n-1 blocks (S201). Here, the secret information S is S = S ₁ || ... || Sn _-1 (the symbol "||" indicates data concatenation), and each divided block is S ₁ , ... ..., Notated as _Sn-1 . Further, the distributed data generation unit 104 newly generates S ₀ ∈ {0} ^d .

Next, the distributed data generation unit 104 calculates the hash value of the secret information, the random number, and the partially distributed data (S202). Specifically, first, the random number generation unit 106 sets n-1 random numbers R ₀ , ..., R _n-2 having a data length of d, for example, independently of each other (that is, between the selected random numbers). Randomly select (i.e., Ri ∈ _{ 0, 1} ^d ) so that there is no predetermined regularity). Then, the distributed data generation unit 104 sets D (i, j) = S _{(i-j mod n)} xor R _j (0 ≦ i ≦ n-1, 0 ≦ j ≦ n-2) to each (i, Calculate for j).

The distributed data generation unit 104 calculates the hash value of the secret information S = S ₁ || ... || Sn _-1 and the random number R = R ₀ ||...|| R _n-2 . Further, the distributed data generation unit 104 connects each D (i, j) for each i, and the partial distributed data D'(i) = D (i, 0) || ... || D (i, n- 2), (0 ≦ i ≦ n-1) are generated.

The distributed data generation unit 104 is a hash of each partially distributed data D'(i) = D (i, 0) || ... || D (i, n-2), (0≤i≤n-1). Calculate the value. Here, a hash function having an output length d'(for example, d'is about 256 bits) is represented by H (), H (S) = h _S , H (R) = h _R , and H (D'(. i)) = h _D'(i) , (0 ≦ i ≦ n-1).

This hash function may be stored in advance in the auxiliary storage device 504 of the client device 10 and the storage server device 20 _i , or may be disclosed in the secret sharing system 1 by the verification data disclosure device 30. ..

Next, the random number generation unit 106 further selects random numbers a, b ∈ GF (q), and the distributed data generation unit 104 further selects two linear equations, F (X) = h _S + h _R X mod q and F'(. X) = a + bX mod q is generated (S203).

Next, the distributed data generation unit 104 generates additional distributed data D (i, n-1) = F (h _D'(i) ) = fi and D ( _i , n) = F'(h _D'(i ). ₎ ) ₌ Calculate f'i (S204).

Next, the distributed data generation unit 104 uses G ₁ = pow (g ₁ , h _S ) × pow (g ₂ , a) mod p, G ₂ = pow (g ₁ , h _R ) × pow as verification data. (g ₂ , b) modd p is generated (S30), and (G ₁ , G ₂ ) is transmitted to the verification data disclosure device 30 as verification data (S31). The function power () indicates an exponential function, which means power (a, b) = a ^b .

Then, the verification data disclosure device 30 stores the received (G ₁ , G ₂ ) as the verification data 303, and at the same time, the verification data (G ₁ ) is stored in the client device 10 and the storage server device 20 _i . , G2) is disclosed in the secret sharing system ₁ (S32). The distributed data generation unit 104 connects the partially distributed data and the additional distributed data to the distributed data D (i) = D'(i) || D (i, n-1) || D (i, n), (0). ≦ i ≦ n-1) are distributed to the storage server device 20 _i (S40), respectively.

Returning to the description of FIG. Subsequently, each storage server device 20 _i acquires verification data (G ₁ , G ₂ ) and public parameters (p, g ₁ , g ₂ ) from the verification data disclosure device 30, and distributes data stored by itself. D ( _i ) The validity of 203i is verified (S50), and the distributed data D (i) is managed (S60).

FIG. 6 is a flowchart showing an example of the storage processing of the distributed data by each storage server device _20i in steps S50 and S60. Each storage server device 20 _i is distributed data D (i) = D'(i) || D (i, n-1) ||, which is data obtained by concatenating partially distributed data and additional distributed data from the client device 10. Receives D (i, n) and (0 ≦ i ≦ n-1) (step S401).

FIG. 8 is a table showing the value of each block of distributed data distributed to the storage server device 20. FIG. 8 shows an example in the case of n = 5. The value of the cell in the m-th row and the l-th column of the table indicates the value of the l-th block when D (i) at i = m is divided into block lengths of length d.

First, the details of the verification process in step S50 will be described. The verification unit 204 acquires verification data (G ₁ , G ₂ ) and disclosure parameters (p, g ₁ , g ₂ ) from the verification data disclosure device 30 (S501). The verification unit 204 _i is partially distributed data and additional dispersion from the distributed data D ( _i ) = D'(i) || D (i, n-1) = fi || D ( _i , n) = f'i. The data is taken out, and the hash value H (D'(i)) = h _D'(i) of the partially distributed data D'(i) is calculated (S502).

Subsequently, the management process in step S60 will be described. The verification unit 204 _i confirms whether power (g ₁ , _fi ) × power (g ₂ , f'i) ≡ G ₁ × power (G ₂ , h _{D'(i) )} mod p (S503). ). When the verification unit 203 _i determines that the mathematical formula in step S503 holds (S503: yes), the storage server device 20 _i stores D (i) 203 _i assuming that the received distributed data is correct data (S601). ).

On the other hand, when the verification unit _204i determines that the mathematical formula in step S503 does not hold (S503: no), it processes it as ERROR (S602). Specifically, for example, the verification unit 204 _i outputs the ERROR to the output device 506 of the storage server device 20 _i . Further, for example, the verification unit 204 _i may notify the client device 10. In this case, for example, the client device 10 simply retransmits the distributed data D (i), or regenerates the distributed data D (i) and then retransmits it to the storage server device 20 _i , and the storage server device 20 _i re-verifies the re-received distributed data D (i).

Hereinafter, the reason why it is possible to determine whether or not the received distributed data is a correct value by determining the success or failure of the mathematical expression in step S503 will be described. From the above definition, G ₁ = pow (g ₁ , h _S ) x pow (g ₂ , a) mod p, G ₂ = pow (g ₁ , h _R ) x pow (g ₂ , b) mod p, F. (X) = h _S + h _R X mod q, F'(X) = a + bX mod q, F (h _D'(i) ) = f _i , F'(h _{D'(i) )} = f'i Because there is
(Right side of the formula in step S503)
≡ G ₁ × power (G ₂ , h _D'(i) ) mod p
≡ {pow (g _1-, hs) x pow (g ₂ , a)} x {pow (pow (g ₁ , h _R ) x pow (g ₂ , b)), h _D'(i )} mod p
≡ power (g ₁ , hs + h _R h _D'(i) ) × power (g ₂ , a + bh _D'(i) ) mod p
≡ power (g ₁ , F (h _D'(i) ) × power (g ₂ , F'(h _D'(i) ) mod p
≡ power (g ₁ , _fi ) × power (g ₂ , _f'i )
≡ (Left side of the formula in step S503)
Is.

Therefore, if the storage server device _20i has acquired the correct public parameters and verification data, it is possible to determine whether or not the received distributed data has the correct value by confirming the success or failure of the mathematical expression in step S503. can.

Next, the restoration process will be described with reference to FIGS. 4, 7, and 9. FIG. 4 is a sequence diagram showing an example of the restoration process by the entire secret sharing system 1. The process of FIG. 4 is started, for example, with an instruction from the user of the client device 10 (including information indicating confidential information to be restored) as an opportunity. First, the client device 10 acquires the distributed data D (i) from each of the two storage server devices 20 (step S70).

Specifically, for example, the data restoration unit 105 of the client device 10 issues a transmission instruction of the distributed data D (i) to, for example, two randomly selected storage server devices 20. Each of the two storage server devices 20 transmits the distributed data D (i) held by the two storage server devices 20 to the client device 10 (step S71).

Further, the client device 10 acquires the verification value data (G ₁ and G ₂ ) from the verification data disclosure device 30 (step S80). Specifically, for example, the data restoration unit 105 of the client device 10 issues a transmission instruction of the verification value data (G ₁ and G ₂ ) to the verification data disclosure device 30. The verification data disclosure device 30 transmits (G ₁ , G ₂ ) to the client device 10 (step S81).

If the client device 10 does not store the verification parameter in the client device 10 when the verification parameter is generated, the client device 10 further acquires the verification parameter from the verification data disclosure device 30 in steps S80 to S81. Subsequently, the data restoration unit 105 of the client device 10 restores the secret information S while confirming the validity of the acquired distributed data D (i) (step S90).

FIG. 7 is a flowchart showing an example of details of the restoration process by the client device 10. FIG. 7 shows the details of the distributed data acquisition process in step S70 and the confidential information restoration process in step S90.

First, the details of step S70 will be described. The data restoration unit 105 of the client device 10 determines whether or not there is an unselected storage server device 20 (that is, not subject to determination in steps S903 and S905 described later) among the n-1 storage server devices 20. (S701). When the data restoration unit 105 determines that the unselected storage server device 20 does not exist (S701: no), the data restoration unit 105 returns ERROR (S906). Specifically, for example, the data restoration unit 105 outputs ERROR to the output device 506 of the client device 10.

When the data restoration unit 105 determines that there is an unselected storage server device 20 (S701: yes), the data restoration unit 105 selects one unselected storage server device 20 and distributes data to the selected storage server device 20. The transmission instruction of D (i) is issued, and the distributed data D (i) is acquired from the storage server device 20 (S702).

Subsequently, as described above, the client device 10 acquires the verification value data (G ₁ and G ₂ ) from the verification data disclosure device 30 (step S80). If the client device 10 has already acquired the verification value data (G ₁ , G ₂ ), step S80 may be omitted.

Next, the details of step S90 will be described. The data restoration unit 105 of the client device 10 has acquired distributed data D (i) = D'(i) || D (i, n-1) = fi || D ( _i , n) = _f'i , respectively. On the other hand, the hash value H (D'(i)) = h _D'(i) of the partially distributed data D'(i) is calculated (S901).

Then, the data restoration unit 105 has power (g ₁ , _fi ) × power (g ₂ , f'i) ≡ for the generated hash value H (D'( _i )) = h _D'(i) . It is confirmed whether G ₁ × power (G ₂ , h _D'(i) ) mod p is obtained (S902). When the data restoration unit 105 determines that the mathematical formula in step S902 does not hold (S902: no), the data restoration unit 105 returns to step S701 and selects new distributed data.

The verification of the mathematical formula in step S902 is the same as in step S503. That is, by executing the verification in step S902, falsification (and damage, etc.) of the distributed data at any timing between the storage process and the restoration is detected, and eventually the restoration process using the altered distributed data is performed. You don't have to do it. The falsification detection process of the distributed data may be executed only at one of the timings of the storage process (steps S501 to S503) and the restoration process (steps S901 to S902).

Then, the data restoration unit 105 determines whether or not two distributed data for which the mathematical expression of step S902 holds have been collected (S903). If the data restoration unit 105 has not yet collected two distributed data for which the formula of step S902 holds (S903: no), the data restoration unit 105 returns to step S701 and selects new distributed data.

When the data restoration unit 105 determines that the two distributed data for which the mathematical expression of step S902 holds has been collected (S903: yes), the data restoration unit 105 restores the confidential information S using the two distributed data (S904). ..

Hereinafter, the details of step S904 will be described. Here, D (i) = D'(i) || D (i, n-1) = fi || D ( _i , n) = f'for each of the two distributed data for which the formula of step S902 holds. _i , D (j) = D'(j) || D (j, n-1) = f _j || D ( _j , n) = f'j.

First, the data restoration unit 105 sets the back 2d'length of the distributed data D (i) and D (j), that is, the additional distributed data D ( _i , n-1) = fi. || D ( _i , n) = f'i and D (j, n-1) = f _j || D ( _j , n) = f'j is the remaining data obtained by deleting the partially distributed data. D'(i) = D (i, 0) || ... || D (i, n-2) and D'(j) = D (j, 0) || ... || D (j) , N-2), are divided into blocks of data length d.

That is, each block of the data length d for the partially distributed data D'(i) is D (i, 0), ..., D (i, n-2), and for the partially distributed data D'(j). Each block of data length d is D (j, 0), ..., D (j, n-2).
Then, the data restoration unit 105 obtains S ₁ , ..., _Sn-1 for r = j-i mod n in the following cases.

Case1: When D (i, i) is included in D (i, l) (however, 0 ≦ l ≦ n-2), the following is repeated until the end condition 1 is satisfied. However, the end condition 1 is i-kr = n-1 (1 ≦ k ≦ n-1).
k = 1: S _r = D (i, i) xor D (j, i) xor S ₀ ,
k = 2: S _{r + r} = D (i, i-r) xor D (j, i-r) xor S _r ,
・ ・ ・
k = n-1: S _{(n-1) r} = D (i, i- (n-2) r) xor D (j, i- (n-2) r) xor S _{(n-2) r}

Case2: When D (j, j) is included in D (j, l), the following is repeated until the end condition 2 is satisfied. However, the end condition 2 is as follows. j + kr = n-1 (1 ≦ k ≦ n-1).
k = 1: S- _r = D (i, j) xor D (j, j) xor S ₀ ,
k = 2: S _-r-r = D (i, j + r) xor D (j, j + r) xor S- _r ,
・ ・ ・
k = n-1: S- _{(n-1) r} = D (i, j + (n-2) r) xor D (j, i + (n-2) r) xor S- _{(n-2) r}

The operator ± in Case 1 and Case 2 indicates the operation of mod n. Hereinafter, specific examples of the calculation processing of S ₁ , ..., Sn _- 1 in Case 1 and Case 2 described above will be described.

FIG. 9 is a table showing the value of each block of the partially distributed data obtained by deleting the additional distributed data from the distributed data stored in the storage server device 20. FIG. 9 shows an example in the case of n = 5. Therefore, FIG. 9 is a table in which the columns of j = 4 and the columns of j = 5 are deleted from the table of FIG.

Since the table of FIG. 9 is a table of 5 rows × 4 columns, it does not include D (4, 4) among the diagonal components. Whether or not Case 1 and Case 2 are applicable differs depending on whether the two selected dispersion data include D (4) or not.

Here, for example, an example of i = 4, j = 0, that is, an example in which D (4) and D (0) are selected will be described. First, r = j-i mod 5 = 0-4 = -4. Since D (4,4) is not included in D (4, l) = {D (4,0), D (4,1), D (4,2), D (4,3)}, This example does not correspond to Case1.
Further, since D (0,0) is included in D (0, l) = {D (0,0), D (0,1), D (0,2), D (0,3)}. , This example corresponds to Case 2.

k = 1: S- (-4) = D (4,0) xor D (0,0) xor S0 = S4, and for the end condition 2, 0 + 1 (-4) = -4 = 1 ≠ 4. Because there is, it is not satisfied.

k = 2: S- (-4)-(-4) = D (4,1)) xor D (0,1) xor S4 = S3, and for the end condition 2, 0 + 2 (-4) =- Since 8 = 2 ≠ 4, it is not satisfied.

k = 3: S-3 (-4) = D (4,2) xor D (0,2) xor S3 = S2, and for the end condition 2, 0 + 3 (-4) = -12 = 3 ≠ 4 Therefore, it is not satisfied.

k = 4: S-4 (-4) = D (4,3) xor D (0,3) xor S2 = S1, and for the end condition 2, 0 + 4 (-4) = -16 = 4 = 4 And since it is satisfied, the calculation of Case 2 is completed. As a result, all of S1, S2, S3, and S4 were calculated from Case2.

Next, for example, an example of i = 3, j = 0, that is, an example in which D (3) and D (0) are selected will be described. First, r = j-i mod 5 = 0-3 = -3. Since D (3,3) is included in D (3, l) = {D (3,0), D (3,1), D (3,2), D (3,3)}, this example Corresponds to Case 1.

k = 1: S (-3) = D (3,3) xor D (0,3) xor S0 = S2, and for the end condition 1, 3-1 (-3) = 6 = 1 ≠ 4. Yes, not satisfied.

k = 2: S (-3) + (-3) = D (3,1) xor D (0,1) xor S2 = S4, and for the end condition 1, 3-2 (-3) = 9 = 4 = 4, and since it is satisfied, the calculation of Case 1 is completed.
Further, since D (0,0) is also included in D (0, l) = {D (0,0), D (0,1), D (0,2), D (0,3)}. , This example also corresponds to Case 2.

k = 1: S- (-3) = D (3,0) xor D (0,0) xor S0 = S3, and for the end condition 2, 0 + 1 (-3) = -3 = 2 ≠ 4. Because there is, it is not satisfied.

k = 2: S- (-3)-(-3) = D (3,2)) xor D (0,2) xor S3 = S1, and for the end condition 2, 0 + 2 (-3) =- Since 6 = 2 = 4 and is satisfied, the calculation of Case 2 is completed. As a result, all of S1, S2, S3, and S4 were calculated from Case1 and Case2.
That is, S1, S2, S3, and S4 can be calculated regardless of which combination of distributed data is selected.

Subsequently, the data restoration unit 105 restores data S'= S ₁ ||, which is confidential information restored by concatenating S ₁ , ..., Sn _-1 output by Case 1 and / or Case 2. ... || Restore Sn _-1 . Here, the restored confidential information is referred to as the restored data S'in order to distinguish the restored data from the original data.

After the restored data S'= S ₁ || ... || Sn _-1 is restored in step S904, the data restoration unit 105 restores fi-H (R') h _{D'(i) =} H (S'). ) (S905). Note that R'is random number data restored by the following processing.

The data restoration unit 105 calculates R _j = D (i, j) xorS _{(i-j mod n)} (0 ≦ j ≦ n-2) and outputs R ₀ , ..., R _n-2 . Random data R'= R ₀ || ... || R _n-2 is restored by concatenating.

Then, the data restoration unit 105 is described above from D ( _i , n-1) = fi, H (D'(i)) = h _D'(i) , and the restored S', R'. It is determined whether or not the mathematical formula fi-H (R') x h _{D'(i) =} H (S') in step S905 is satisfied.

When the data restoration unit 105 determines that the formula in step S905 holds (S905: yes), the restoration data S'is the same as the secret information S, and the restoration data S'is output to end the restoration process. When the data restoration unit 105 determines that the formula in step S905 does not hold (S905: no), the restoration data S'is not the same as the secret information S, so the process returns to step S701.

Hereinafter, the reason why the success or failure of the restoration can be determined by determining the success or failure of the mathematical expression in step S905 will be described. From the above definition, since F (h _D'(i) ) = f _i , F (X) = h _S + h _R X mod q, (left side of step S905) = f _i −H (R'). × h _D'(i) = F (h _D'(i) )-H (R') × h _D'(i)- = h _S + h _R h _D'(i) -H (R') × h _D'(i) . Therefore, if h _S = H (S') and h _R = H (R') are established, that is, the hash value of S and the hash value of S'are equal, and the hash value of R and the hash value of R'are equal. If they are equal to each other, (left side of step S905) = (right side of step S905) is established. That is, if (the left side of step S905) = (the right side of step S905) is satisfied, it can be said that S and S'are equal with an extremely high probability.

As described above, according to the secret information distribution system of this embodiment, by performing the verification process of step S503 or step S902, falsification and damage of the distributed data D (i) can be prevented at the time of storing the distributed data or restoring the confidential information. It can be detected with a small amount of calculation. In addition, the amount of calculation for generating distributed data is small.

Since the verification data (G ₁ , G ₂ ) is a value that can be generated only by a person who knows the values of H (S) = h _S and H (R) = h _R , the distributed data is used. Only the person who generated it can generate correct verification data (G ₁ , G ₂ ).

Further, since the verification data (G ₁ and G ₂ ) are the same for each distributed data D (i) (0 ≦ i ≦ n-1), the verification process of step S503 or step S902 is passed. It can also be confirmed with a small amount of calculation that each distributed data D (i) (0 ≦ i ≦ n-1) is a distributed product of the same secret information S. Also, the amount of calculation for recovering confidential information is small.

Further, since the verification data (G ₁ , G ₂ ) also has a falsification detection function of the secret information S, by performing the verification process in step S905, the restored data S'is the secret information S (original data). It can also be confirmed that it matches with.

The present invention is not limited to the above-described embodiment, and includes various modifications. For example, the above-described embodiment has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one including all the described configurations. It is also possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Further, it is possible to add / delete / replace a part of the configuration of each embodiment with another configuration.

Further, each of the above configurations, functions, processing units, processing means and the like may be realized by hardware by designing a part or all of them by, for example, an integrated circuit. Further, each of the above configurations, functions, and the like may be realized by software by the processor interpreting and executing a program that realizes each function. Information such as programs, tables, and files that realize each function can be placed in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

In addition, the control lines and information lines indicate those that are considered necessary for explanation, and do not necessarily indicate all the control lines and information lines in the product. In practice, it can be considered that almost all configurations are interconnected.

1 Secret distribution system, 10 Client equipment, 20 Storage server equipment, 30 Verification data disclosure equipment, 50 Computer, 104 Distributed data generation unit, 105 Data restoration unit, 106 Random generation unit, 107 Confidential information, 203 Distributed data, 303 Verification Data, 304 public parameters, 501 communication device, 502 input device, 503 memory, 504 auxiliary storage device, 505 CPU, 506 output device

Claims (12)

It ’s a secret sharer,
Equipped with a processor and a storage device,
The storage device holds confidential data and public parameters.
The processor
Divide the secret data and
A plurality of partially distributed data are generated based on the exclusive OR of the divided secret data and the first random number group composed of a plurality of random numbers.
The hash value of the secret data by a predetermined hash function, the hash value of the first value obtained from the random number of the first random number group by the predetermined hash function, and the predetermined hash of each of the plurality of partially distributed data. Calculate the hash value by the function and
For each of the plurality of partially distributed data, a value obtained by substituting the partially distributed data into a first function having the hash value of the secret data and the hash value of the first value as a coefficient or a constant term, and Additional dispersion data including a value obtained by substituting the partial distribution data into a second function having a random number of the second random number group consisting of random numbers not included in the first random number group as a coefficient or a constant term. Generate distributed data by adding to the partially distributed data
Output each of the distributed data to different output destinations,
A second value calculated based on the public parameter, the hash value of the secret data, and the first random number included in the second random number group, the public parameter, the hash value of the first value, and the first. 2 A secret sharing device that includes a third value calculated based on a second random number included in a random number group and the verification data of the distributed data. The secret sharing device according to claim 1.
The public parameters are g ₁ ∈ GF (p) and g ₂ which are different elements of the order q of the finite field modulo p and the prime number p such that q = (p-1) / 2 is a prime number. Including ∈ GF (p),
The first random number group includes random numbers R ₀ , ..., R _n-2 (R _j ∈ {0, 1} ^d (0 ≦ j ≦ n-2)).
The second random number group includes a random number a ∈ GF (q) and a random number b ∈ GF (q).
The first value is R = R ₀ || ... || R _n-2 , which is a combination of the random numbers.
The first function is F (X) = h _S + h _R X mod q (where h _s is the hash value of the secret data and h _R is the hash value of the first value R. be),
The second function is F'(X) = a + bX mod q.
The processor
The secret data S ∈ {0, 1} ^{d (n-1)} is divided into _n-1 data S ₁ , ..., Sn-1 having a length d, respectively.
D (i, j) = S _{(i-j mod n)} xor R _j (0 ≤ i ≤ n-1, 0 ≤ j ≤ n-2, but S ₀ ∈ {0} ^d ), respectively (i, Calculate for j)
D'(i) = D (i, 0) || ... || D (i, n-2) in which each D (i, j) is concatenated for each i is generated as the partially distributed data.
For each of the partial dispersion data D'(i) (0≤i≤n-1), the additional dispersion data D (i, n-1) = F (h _D'(i) ) and D (i, d (i) = D'(i) || D (i, n-1) obtained by calculating n) = F'(h _D'(i) ) and combining the additional variance data and the partial variance data. || D (i, n) is generated as the distributed data, and
G ₁ = power (g ₁ , h _S ) × power (g ₂ , a) mod p was calculated as the second value.
A secret sharing device that calculates G ₂ = power (g ₁ , h _R ) × power (g ₂ , b) mod p as the third value. The secret sharing device according to claim 1.
The storage device is
Holds the first distributed data and the second distributed data generated from the first secret data to be restored.
The processor
The restoration process of the first secret data is executed from the first distributed data and the second distributed data, and the restoration process is executed.
In the restoration process
The additional distributed data is deleted from each of the first distributed data and the second distributed data, and the partially distributed data is acquired.
The partially distributed data of the first distributed data and the partially distributed data of the second distributed data are each divided.
Restoration divided data of the first secret data based on the exclusive logical sum of the divided data of the partially distributed data of the first distributed data and the divided data of the partially distributed data of the second distributed data. To generate,
A secret sharing device that restores the first secret data by combining the restoration division data. The secret sharing device according to claim 3.
The processor
For each of the first distributed data and the second distributed data, based on the additional distributed data corresponding to the distributed data and the second value and the third value included in the verification data. , Determine if the distributed data is correct,
A secret sharing device that executes the restoration process when it is determined that both the first distributed data and the second distributed data are correct data. The secret sharing device according to claim 3.
The processor
It was used to generate the distributed data of the first secret data based on the exclusive OR of the first distributed data after the division, the second distributed data after the division, and the restored divided data. Restore the random number of the first random group and
The restored first value is based on the hash value of the first value calculated from the restored random number by the predetermined hash function and the hash value of the restored first secret data by the predetermined hash function. A secret sharing device that determines whether or not secret data is correct data. It ’s a secret sharing system,
Including secret sharing device, multiple storage devices, and verification data disclosure device,
The secret sharing device is
Holds confidential data and public parameters,
Divide the secret data and
A plurality of partially distributed data are generated based on the exclusive OR of the divided secret data and the first random number group composed of a plurality of random numbers.
The hash value of the secret data by a predetermined hash function, the hash value of the first value obtained from the random number of the first random number group by the predetermined hash function, and the predetermined hash of each of the plurality of partially distributed data. Calculate the hash value by the function and
For each of the plurality of partially distributed data, a value obtained by substituting the partially distributed data into a first function having the hash value of the secret data and the hash value of the first value as a coefficient or a constant term, and Additional dispersion data including a value obtained by substituting the partial distribution data into a second function having a random number of the second random number group consisting of random numbers not included in the first random number group as a coefficient or a constant term. Generate distributed data by adding to the partially distributed data
Each of the distributed data is transmitted to different storage devices, and the distributed data is transmitted to different storage devices.
A second value calculated based on the public parameter, the hash value of the secret data, and the first random number included in the second random number group, the public parameter, the hash value of the first value, and the first. 2 The third value calculated based on the second random number included in the random number group and the third value calculated based on the second random number are included in the verification data of the distributed data.
The verification data and the disclosure parameter are transmitted to the verification data disclosure device, and the verification data and the disclosure parameter are transmitted to the verification data disclosure device.
The verification data disclosure device is a secret sharing system that discloses the verification data and the disclosure parameters in the secret sharing system. The secret sharing system according to claim 6.
The public parameters are g ₁ ∈ GF (p) and g ₂ which are different elements of the order q of the finite field modulo p and the prime number p such that q = (p-1) / 2 is a prime number. Including ∈ GF (p),
The first random number group includes random numbers R ₀ , ..., R _n-2 (R _j ∈ {0, 1} ^d (0 ≦ j ≦ n-2)).
The second random number group includes a random number a ∈ GF (q) and a random number b ∈ GF (q).
The first value is R = R ₀ || ... || R _n-2 , which is a combination of the random numbers.
The first function is F (X) = h _S + h _R X mod q (where h _s is the hash value of the secret data and h _R is the hash value of the first value R. be),
The second function is F'(X) = a + bX mod q.
The secret sharing device is
The secret data S ∈ {0, 1} ^{d (n-1)} is divided into _n-1 data S ₁ , ..., Sn-1 having a length d, respectively.
D (i, j) = S _{(i-j mod n)} xor R _j (0 ≤ i ≤ n-1, 0 ≤ j ≤ n-2, but S ₀ ∈ {0} ^d ), respectively (i, Calculate for j)
D'(i) = D (i, 0) || ... || D (i, n-2) in which each D (i, j) is concatenated for each i is generated as the partially distributed data.
For each of the partial dispersion data D'(i) (0≤i≤n-1), the additional dispersion data D (i, n-1) = F (h _D'(i) ) and D (i, d (i) = D'(i) || D (i, n-1) obtained by calculating n) = F'(h _D'(i) ) and combining the additional variance data and the partial variance data. || D (i, n) is generated as the distributed data, and
G ₁ = power (g ₁ , h _S ) × power (g ₂ , a) mod p was calculated as the second value.
A secret sharing system that calculates G ₂ = power (g ₁ , h _R ) × power (g ₂ , b) mod p as the third value. The secret sharing system according to claim 6.
The secret sharing device is
The first distributed data and the second distributed data generated from the first secret data to be restored are received from different storage devices.
The restoration process of the first secret data is executed from the first distributed data and the second distributed data, and the restoration process is executed.
In the restoration process
The additional distributed data is deleted from each of the first distributed data and the second distributed data, and the partially distributed data is acquired.
The partially distributed data of the first distributed data and the partially distributed data of the second distributed data are each divided.
Restoration divided data of the first secret data based on the exclusive logical sum of the divided data of the partially distributed data of the first distributed data and the divided data of the partially distributed data of the second distributed data. To generate,
A secret sharing system that restores the first secret data by combining the restoration division data. The secret sharing system according to claim 8.
The secret sharing device is
For each of the first distributed data and the second distributed data, based on the additional distributed data corresponding to the distributed data and the second value and the third value included in the verification data. , Performs verification processing to determine whether the distributed data is correct data,
If it is determined that both the first distributed data and the second distributed data are correct data, the restoration process is executed.
When it is determined that at least one of the first distributed data and the second distributed data is not correct data, storage holding the distributed data of the first secret data other than the first distributed data and the second distributed data. A secret sharing system that acquires the third distributed data of the first secret data from the apparatus and performs the verification process on the third distributed data. The secret sharing system according to claim 8.
The secret sharing device is
It was used to generate the distributed data of the first secret data based on the exclusive OR of the first distributed data after the division, the second distributed data after the division, and the restored divided data. Restore the random number of the first random group and
The restored first value is based on the hash value of the first value calculated from the restored random number by the predetermined hash function and the hash value of the restored first secret data by the predetermined hash function. A secret sharing system that determines whether secret data is correct data. The secret sharing system according to claim 6.
The storage device is
The verification data is acquired from the verification data disclosure device, and the verification data is acquired.
It is determined whether or not the distributed data is correct data based on the additional distributed data corresponding to the received distributed data and the second value and the third value included in the verification data. A secret sharing system that performs verification processing. It is a secret sharing method using a secret sharing device.
The secret sharing device includes a processor and a storage device, and the secret sharing device includes a processor and a storage device.
The storage device holds confidential data and public parameters.
The secret sharing method is
The processor divides the secret data and
The processor generates a plurality of partially distributed data based on the exclusive OR of the divided secret data and the first random number group composed of a plurality of random numbers.
The processor has a hash value of the secret data by a predetermined hash function, a hash value of a first value obtained from a random number of the first random number group by the predetermined hash function, and each of the plurality of partially distributed data. Calculate the hash value by the predetermined hash function and
Obtained by the processor by substituting the partially distributed data into a first function having the hash value of the secret data and the hash value of the first value as a coefficient or a constant term for each of the plurality of partially distributed data. Addition including a value to be obtained and a value obtained by substituting the partial distribution data into a second function having a random number of the second random number group consisting of random numbers not included in the first random number group as a coefficient or a constant term. The distributed data is added to the partially distributed data to generate the distributed data.
The processor outputs each of the distributed data to different output destinations,
A hash of a second value calculated by the processor based on the public parameter, a hash value of the secret data, and a first random number included in the second random number group, and a hash of the public parameter and the first value. A secret sharing method in which a third value calculated based on a value and a second random number included in the second random number group is included in the verification data of the distributed data.

Images