JP2004246377A - Secrecy distribution system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize a distributed decoding and signature by arbitrary (t) agencies among (n) agencies without calculating a secret key in an environment where there is no dealer. <P>SOLUTION: In the secrecy distribution system, (n) respective agencies P1-Pn preserve one piece of (n, n) type partial information di (0≤i≤n) and the partial information di is made to be (t, n) type t(r+1) partial random numbers Sj and these (r+1) partial random numbers Sj are respectively distributed to the agencies P1-Pn based on t-ary display (t<SP>j</SP>-th value k, 0≤k≤t-1, 0≤j≤r) of the identification number (z) of each agency Pi and the (r+1) pieces of partial information dj, k are obtained by collecting the mutually distributed partial random numbers for every figure t<SP>j</SP>of the t-ary display. Next, a user device U transmits ciphered data C by selecting (t) agencies Tz and the (t) of agencies Tz and partial outputs Xz which are obtained by arithmetically processing the ciphered data C based on the partial information dj, k respectively to the user device U, and the user device U composes the (t) partial outputs Xz to obtain the result of decoding. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

  The present invention relates to a cryptographic secret sharing system based on the prime factorization problem, and in particular, secretly shares a secret key to n institutions, and calculates t secret keys by any of the t institutions. The present invention relates to a secret sharing system capable of realizing shared decryption and signature.

  2. Description of the Related Art Conventionally, as an encryption system based on the prime factorization problem, in the field of secret sharing using, for example, an RSA encryption system, there is a secret sharing method called a threshold value method. Here, in the threshold value method, when the secret information is distributed into n pieces of partial information, the secret information is completely restored by using t pieces of the n pieces of partial information. It has a characteristic of restoring confidential information at a threshold value t, where no information can be restored (1 <t <n).

  As this kind of secret sharing scheme, there is known a (t, n) type secret sharing scheme in which the concept of a threshold method is introduced into an RSA cryptosystem and a secret key is secretly shared in a (t, n) type. (Y. Frankel, P. Gemmell, PD MacKenzie and M. Yung, “Optimal-resilience proactive public-key cryptosystems”, 38th Annual Symposium on Foundations of Computer Science, pp. 384-393, 1997. [FGMY97]), and T. Okamoto, “Threshold key-recovery systems for RSA”, Security Protocols, LNCS 1361, pp. 191-200, 1997. (hereinafter referred to as reference [Oka97]).

  Above all, the document [FGMY97] shows a method in which decryption and signature can be performed by arbitrary t organizations without calculating a secret key d in an environment where a dealer (distributor) exists. In other words, this method allows a dealer who knows prime factors having different combined numbers N to create a secret key d that can be decrypted and signed with arbitrary t pieces of partial information without knowing the prime factors.

  On the other hand, in an environment where there is no dealer, an (n, n) type secret sharing scheme in which key generation is performed by all institutions instead of the threshold method is known (D. Boneh and M. Franklin, “Efficient generation of shared RSA keys ”, Advances in Cryptology-CRYPTO '97, LNCS 1294, pp. 425-439, 1997. (hereinafter referred to as literature [BF97]).

  In the method of Document [BF97], when key generation is performed, secret sharing of the (n, n) type is simultaneously performed on the secret key d. Also, by combining partial outputs from all the organizations using the retained partial information, it is possible to decrypt the ciphertext without calculating the secret key d.

  In detail, the literature [BF97] describes a method of efficiently constructing a (2, n) type secret sharing (n ≧ 3) from a (2,2) type secret sharing as shown in the following algorithm. ing.

  For the sake of simplicity, it is assumed that there is a user who knows the secret key d, and that this user secretly shares the secret key d in the (2, n) type. Also, for the total number n of the institutions P, the number of secret sharing polynomials indicating combinations of partial information is assumed to be r + 1, and r = “log n” (in this specification, “” indicates a parenthesis Indicates the smallest integer greater than or equal to

First, the user executes the (2, 2) type secret sharing r + 1 times, so that r + 1 independent polynomials d = d _0,0 + d _0,1 = d _1,0 + d _1,1 =... = D _{r , 0} + _{dr, 1} are created individually.

Next, the identification number of the individual engine in the engine of the total number n and z (z∈ [0, n] ), and the binary display _{z (2) = β r β} r-1 ... β 0 of the identification number z I do. User, the 0th ~n th for all of the engine P ₀ to P _n, successively, the z-th engine P _z, r + 1 pieces of partial _{information: {d r, βr, d} r-1, βr- ₁ , ..., _{d0, β0} }. Thus, all of the engine P ₀ to P _n, a set of partial information corresponding to the binary representation of the identification number z is delivered.

By setting the number of the institution only after the delivery is completed, any two institutes Pi and Pj (i ≠ j) can obtain the number z (2) of the (r + 1) (2,2) type partial information. ), The secret key d can be restored from the partial information (d _{i, 0} , d _{i, 1} ) of the same digit i having different bits β (d _{i, 0} + d _{i, 1} = d).

Next, a related technique for expanding the secret sharing type, such as the above-described method of constructing the (2, n) type secret sharing from the (2, 2) type, will be described.
As this type of technology, (t, l) type was used (t, l ^m) there is a secret sharing scheme (SR Blackburm, M. Burmester, Y. Desmedt and PR Wild, "Efficient multiplicative sharing schemes" , Advances in Cryptology-EURO-CRYPT '96, pp. 107-118, 1996. (hereinafter referred to as literature [BBDW96]). However, the method of the document [BBDW96] relates to 1 that satisfies the following expression (1) for a positive integer m.

t = 2 b ≧ 1 → l ≧ 1
t = 3 b ≧ 3 → l ≧ 3
t = 4 b ≧ 6 → l ≧ 6
When t ≧ 4, t <l. That is, when t ≧ 4, it is impossible to construct a (t, n) type secret sharing scheme using the (t, t) type.

Therefore, the following is a description of (3,3 ³⁾ secret sharing scheme with (3,3) types in the literature [BBDW96]. Assuming that m = 2, 1 = 3, and t = 3, b is calculated as shown in equation (2).

  First, the secret sharing of the (3,3) type is executed b + 1 = 4 times, and four independent polynomials for the secret key d are constructed as shown in the equation (3).

d = d _0,0 + d _0,1 + d _0,2 (first time)
= D _1,0 + d _1,1 + d _1,2 (2nd time)
= D _2,0 + d _2,1 + d _2,2 (3rd time)
= D _3,0 + d _3,1 + d _3,2 (4th time) ... (3)
Further, it is assumed that f (x) = a ₀ + a ₁ X (mod 3).

Here, in this document [BBDW96], when the set of final authority (here 3 ^two institutions) was P', f (X) is described as (4) (pp. The first line of 113, “d” in the formula is represented as “m” in the present specification).

However, this equation (4) is presumed to be an error of the following equation (5).

However, a ₀ , a ₁ ∈F 3, and f (∞) = a ₁ .

f1 (x) = 0 (mod 3)
f2 (x) = 1 (mod 3)
f3 (x) = 2 (mod 3)
f4 (x) = 0 + X (mod 3)
f5 (x) = 1 + X (mod 3)
f6 (x) = 2 + X (mod 3)
f7 (x) = 0 + 2X (mod 3)
f8 (x) = 1 + 2X (mod 3)
f9 (x) = 2 + 2X (mod 3)
Each engine fj has (d0 _{, fj (∞)} , d1 _{, fj (0)} , d2 _{, fj (1) , d3, fj (2)} ). Specifically, a set of partial information stored in each institution is as shown in FIG. 12, and a combination of institution and target partial information is as shown in FIG.

As shown in FIG. 12, for example, when distributed decoding is performed by the institutions f1, f4, and f8 (second row), partial information corresponding to X = ∞ is extracted. Calculations are respectively performed using (d _0,0 , d _0,1 , d _0,2 ), and an output corresponding to the secret key d can be calculated.

  In FIG. 13, a combination with any one of the alphabets a to l indicates that there are three types of output calculation routes corresponding to the secret key d in the same combination of each institution. Note that “d” in FIG. 13 is simply an alphabetical code, not a secret key d.) For example, in the case of the combination (f1, f2, f3) of the organizations with the symbol b, it is possible to prepare three pieces of partial information for recovering the secret key d at any of X = 0, 1, and 2.

  On the other hand, there is a scheme that introduces the concept of a threshold method to the (n, n) type secret sharing scheme in the above-mentioned literature [BF97] (Y. Frankel, PD MacKenzie and M. Yung, “Robust efficient”). distributed RSA-key generation ”, Proceedings of the thirtieth annual ACM symposium on theory of computing, pp. 663-672, 1998. (hereinafter referred to as literature [FMY98]).

  In the method of document [FMY98], a (t, n) type key generation and sharing method based on the (n, n) type secret sharing of document [BF97] is described. Specifically, first, an (n, n) type key is generated, and a polynomial of the sum with respect to the secret key d is generated. Next, each institution Pi becomes a dealer of the partial information di, and performs conversion of Sum-to-Poly (sum to plural). At this time, each institution Pi synthesizes the shared information on the partial information dj from all the institutions Pj, and finally performs secret sharing on the secret key d, thereby obtaining the (t, n) type secret sharing of the secret key d. To achieve.

  As a result, in the method of the document [FMY98], out of the total number n, any t institutions P can calculate the RSA secret key d, and key recovery is possible.

However, the above secret sharing systems have problems as follows.
Since in the method of the literature [BBDW96], in the case of n> For ^{3 2} and t ≧ 4 at t = 3 is impossible to construct a (t, l ^m) type secret sharing, (2, n) type The secret sharing construction method has not been generalized.

On the other hand, in the method of the document [FMY98], a problem occurs when a signature or decryption using the secret key d is attempted without calculating the secret key d. For example, it is assumed that there is a ciphertext C = M ^e (mod N) encrypted with the public key (e, N). When the cipher text C is decrypted by an arbitrary number of t organizations (this set is denoted by Λ), each institution Pj calculates a Lagrangian interpolation coefficient λ _{j, Λ} as shown in equation (6) _, and It is necessary to obtain partial outputs from the coefficients λ _{j, Λ} respectively.

However, since none of the institutions Pj knows the prime factor of the composite number N (= pq), the multiplicative inverse of l-j modulo the width order φ (N) cannot be calculated, and the Lagrange interpolation coefficient λ _{j, Λ} also cannot be calculated. Therefore, the partial output used when calculating the Lagrangian interpolation coefficient λ _{j, Λ} cannot be calculated, and the distributed decoding for restoring the plaintext by combining the partial outputs as in Expression (7) becomes impossible. .

  The present invention has been made in consideration of the above situation, and can perform distributed decryption and signature by arbitrary t out of n institutions without calculating a secret key in an environment without a distributor ( It is an object of the present invention to provide a (t, n) type secret sharing system.

  The first invention is used in a cryptographic system based on the prime factorization problem, in which partial final information of a secret key is distributed to n institutions, and all the institutions calculate the secret key only by their own partial final information. (T, n) type secret sharing that can generate a decryption result and a signature result without calculating the secret key by any t of the n institutions when the environment is impossible. System.

Further, the second invention is applied to an RSA encryption system using a public key and a secret key d, and comprises n institutions and user devices connected to each other via a network, and the n institutions have the secret key d When the partial final information is distributed, a (t, n) type secret sharing system is capable of generating a decryption result or a signature result without calculating the secret key d by any t organizations in the information. In addition, each of the n institutions includes means for generating the public key and the secret key d, and one piece of (n, n) type partial information di () generated based on the secret key d. Means for holding 0 ≦ i ≦ n), and r is a minimum integer equal to or greater than log _t n of logarithm of n with t as the base, and the partial information di is represented by (t, n) type t (r + 1) Partial random numbers, of which r + 1 partial random numbers are t-ary tables of the identification numbers of the organizations. Based on (t ^j-th digit of the value k, 0 ≦ k ≦ t- 1,0 ≦ j ≦ r), means for dispersing the respective engine respectively, the dispersed from each institution n (r + 1) number of partial Means for collecting random numbers for each digit t ^j of the t-ary notation to obtain r + 1 partial final information dj, k, and performing arithmetic processing on the processing target data received from the user device based on the partial final information dj, k Means for returning the obtained partial output to the user device, wherein the user device selects the t institutions and transmits the processing target data to each of the selected t institutions. And a means for combining the partial outputs received from the t organizations to obtain the decryption result or the signature result.

A third aspect of the present invention is first public key (e, N) and the maximum commitments and the private key d, the second public key (L ^2, N) and RSA cryptosystem using the (e and L ² The number is 1 and the modulus N is common), and n institutions and user devices are connected to each other via a network, and partial information sj of the secret key d is distributed to the n institutions. At this time, a (t, n) type secret sharing system in which a decryption result can be generated without calculating the secret key d by any of the t institutions, wherein each of the n institutions is , and means for returning the partial output Zj obtained the decoded data ^{C2 (= M e (mod N} )) received from the user device by processing to the user device, as the user equipment, T institutions out of the n institutions are selected, and the selected Means for transmitting data C2; means for combining the partial outputs Zj received from the t institutions to obtain the decoding result C1 (= ML ^{^ 2} (mod N), where ^ is a symbol indicating a power). And a means for executing an arithmetic process based on the decryption result C1, the processing target data C2, and the following equation to obtain a final decryption result M.

a1 = (L ² ) ⁻¹ (mode)
a2 = (a1L ² -1) / e
M = C ₁ ^a1 (C ₂ ^a2 ) ⁻¹ (mod N)
In a fourth aspect based on the third aspect, the signature target data S2 (= M) is used instead of the decryption target data C2, and the signature result S1 (= M ^{dL ^} ) is used instead of the decryption result C1. ² (mod N), where ^ is a symbol indicating a power, the signature result S1 (= (M ^d ) ^e ) and the signature target data S2 (= (M based on the ^{d) L ^ 2)} and the following equation, and performs arithmetic processing, a secret sharing system that includes a means for obtaining the final signature result M ^d.

a1 = (L ² ) ⁻¹ (mode)
a2 = (a1L ² -1) / e
M ^d = S ₁ ^a1 (S ₂ ^a2 ) ⁻¹ (mod N)
Further, the fifth invention is applied to an RSA encryption system using a public key and a secret key d, and includes n institutions and user devices connected to each other via a network, and the n institutions have the secret key d When the partial final information is distributed, a (t, n) type secret sharing system that can generate a decryption result or a signature result without calculating the secret key d by an arbitrary t organizations in the partial final information. A computer-readable storage medium to be used, comprising: means for generating the public key and the secret key d in a computer in each of the n institutions; , N) -type partial information di (0 ≦ i ≦ n), and r is a minimum integer greater than or equal to log _t n of logarithm of n, where t is the base. Let t (r + 1) partial random numbers of the (t, n) type be The ones of r + 1 pieces of partial random number based the on t-ary representation of the identification number of each institution (t ^j-th digit of the value k, 0 ≦ k ≦ t- 1,0 ≦ j ≦ r), respectively distributed to each engine means for said n distributed from the engine (r + 1) number of partial random numbers t ary display together in each digit t ^j r + 1 pieces of partial final information dj, means for obtaining a k, received from the user equipment A computer-readable storage medium storing a program for implementing processing means for processing data to be processed based on the partial final information dj, k and returning the obtained partial output to the user device.

Furthermore, a sixth aspect of the present invention, the first public key (e, N) and the maximum commitments and the private key d, the second public key (L ^2, N) and RSA cryptosystem using the (e and L ² The number is 1 and the modulus N is common), and n institutions and user devices are connected to each other via a network, and partial information sj of the secret key d is distributed to the n institutions. A storage medium used in a (t, n) type secret sharing system capable of generating a decryption result without calculating the secret key d by any of the t institutions; Means for returning to the user device a partial output Zj obtained by performing arithmetic processing on the decryption target data C2 (= M ^e (mod N)) received from the user device to the computers in the respective organizations. A program for causing the computer in the user device to store the n programs. Means for selecting t institutes among the institutes and transmitting the decoding target data C2 to each of the selected t institutes; combining the partial outputs Zj received from the t institutes to perform the decoding Means for obtaining a result C1 (= ML ^{^ 2} (mod N), where ^ is a symbol indicating a power), an arithmetic operation is performed based on the decoding result C1, the processing target data C2, and the following equation, and a final decoding result This is a computer-readable storage medium storing a program for realizing the means for obtaining M.

a1 = (L ² ) ⁻¹ (mode)
a2 = (a1L ² -1) / e
M = C ₁ ^a1 (C ₂ ^a2 ) ⁻¹ (mod N)
In a seventh aspect based on the sixth aspect, the signature target data S2 (= M) is used instead of the decryption target data C2, and the signature result S1 (= M ^{dL ^} ) is used instead of the decryption result C1. ² (mod N), where ^ is a symbol indicating a power, the signature result S1 (= (M ^d ) ^e ) and the signature target data S2 (= (M ^{d) L ^ 2),} and in accordance with the following equation, and performs arithmetic processing, a computer-readable storage medium storing a program for realizing the means for obtaining the final signature result M ^d.

a1 = (L ² ) ⁻¹ (mode)
a2 = (a1L ² -1) / e
M ^d = S ₁ ^a1 (S ₂ ^a2 ) ⁻¹ (mod N)
(Action)
Therefore, in the first, second, and fifth inventions, by taking the above-described means, each of the n institutions generates the public key and the secret key d, and is generated based on the secret key d ( When one piece of partial information di (0 ≦ i ≦ n) of the (n, n) type is held and the smallest integer equal to or greater than the logarithm log _t n of n with t as the base is r, this partial information di T (r + 1) partial random numbers of the (t, n) type, of which r + 1 partial random numbers are represented in t-ary notation of the identification number of each institution (value k in the t ^j digit, 0 ≦ k ≦ t−1 , 0 ≦ j ≦ r), and n (r + 1) partial random numbers distributed from each institution are grouped for each digit t ^j in t-ary notation, and r + 1 partial final information dj, k is obtained.

  Subsequently, the user device selects t institutes, transmits processing target data to each of the selected t institutes, and the t institution processes the processing target data received from the user device with partial final information dj. , k, and returns the obtained partial output to the user device. The user device combines the partial outputs received from the t institutions to obtain a decryption result or a signature result.

  As described above, it is possible to realize distributed decryption and signature by arbitrary t organizations out of n organizations without calculating a secret key in an environment where there is no distributor, and without using Lagrange interpolation. , High processing efficiency can be realized.

Further, the third and sixth inventions provide an RSA cryptosystem (e and L ² ) using a first public key (e, N) and a secret key d and a second public key (L ² , N). When the greatest common divisor is 1 and the modulus N is common, when the partial information sj of the secret key d is distributed to n institutions, the user apparatus selects t institutions from the n institutions Then, the data to be decoded C2 is transmitted to each of the selected t institutions, and each of the t institutions obtains the data to be decrypted C2 (= M ^e (mod N)) received from the user apparatus by performing arithmetic processing. The obtained partial output Zj is returned to the user device, and the user device combines the partial outputs Zj received from the t institutions to obtain a decoding result C1 (= ML ² (mod N)) and decodes the decoded result. results C1, processed data C2 and a prescribed formula ^{(a1 = (L 2) -1} (mod e), a2 = (a1L 2 -1) / e, M = C 1 a1 C ₂ ^a2) based on the ^-1 (mod N)), executes the calculation process to obtain the final decoded result M.

  Accordingly, distributed decryption by any t institutions out of n institutions can be realized without calculating a secret key in an environment where there is no distributor, and Lagrange using a public key under a predetermined condition High reliability can be achieved based on the interpolation method.

Further, in the fourth and seventh inventions, the signature target data S2 (= M) is used instead of the decryption target data C2, and the signature result S1 (= M ^{dL ^ 2} (mod N)) is used instead of the decryption result C1. , ^ Is a symbol indicating a power, and a signature result S1 (= ( ^Md ) ^e ), signature target data S2 (= ( ^Md ) ^{L ^ 2} ) and a predetermined expression based on ^{(a1 = (L 2) -1} (mod e), a2 = (a1L 2 -1) / e, M d = S 1 a1 (S 2 a2) -1 (mod N)), calculation processing is executed to obtain the final signature result M ^d.

  Thereby, the same operation as the operation corresponding to the third and sixth inventions can be realized in the signature processing.

  As described above, according to the present invention, distributed decryption and signatures can be realized by arbitrary t organizations out of n organizations without calculating a secret key in an environment where there is no distributor (t, n). Type of secret sharing system.

  Next, embodiments of the present invention will be described with reference to the drawings. Note that the first embodiment realizes high processing efficiency without using the Lagrangian interpolation method, and the second embodiment achieves high reliability based on the Lagrange interpolation method using a public key under a predetermined condition. Are realized, and both are (t, n) type secret sharing systems capable of performing distributed decryption and signature by a threshold method of a non-dealer model. Hereinafter, description will be made sequentially.

(1st Embodiment)
This embodiment is a (t, n) type secret sharing system that generalizes a method of constructing a (2, n) type secret sharing from the (2, 2) type in the document [BF97].
Specifically, when each institution Pi holds (n, n) type partial information di of the secret key d using the method of the document [BF97], all the institutions P1 to Pn respectively store the partial information di (t , N) type partial random number information, and each organization P1 to Pn collects the partial random number information digit by digit to obtain a plurality of pieces of partial information dj, k to form a (t, n) type secret sharing system. .

  FIG. 1 is a schematic diagram showing the configuration of the secret sharing system according to the first embodiment of the present invention. In this secret sharing system, n institutions P1 to Pn as a computer system and a user device U are connected to each other via a network.

  Since each of the engines P1 to Pn has the same configuration as each other, an arbitrary engine Pi (1 ≦ i ≦ n) will be described here as a representative example.

Based on the function of generating the public key (e, N) and the secret key d and the method of [BF97], the institution Pi sets the secret key d to (2, n) type partial information, and A function of distributing the partial information to each of the institutions P1 to Pn; a function of retaining one piece of (n, n) type partial information di based on the distributed r + 1 pieces of partial information; Is a (t, n) -type partial random number, of which r + 1 partial random numbers are distributed to the respective institutions P1 to Pn based on the t-ary representation of the identification number of the institution, distributed n (r + 1) number of partial random numbers t ary weighing value t ^j every collectively r + 1 pieces of partial information dj, a function of obtaining k, and decoding the ciphertext C received from the user device U It has a function of returning the obtained partial output Xz to the user device U.

  In addition, when an arbitrary t number is selected, each institution Pi uses notation “T” instead of “P”, though not shown. For example, when “institution Pz” is selected, it is described as “institution Tz”.

  The user apparatus U transmits a ciphertext C encrypted with the public key (e, N) to the t institutions Tz, and a function of selecting t institutions Tz out of the n institutions P1 to Pn. And a function of synthesizing the partial output Xz received from each institution Tz to obtain a plaintext M.

  Next, a specific hardware configuration of each of the institutions P1 to Pn and the user device U will be described. Specifically, as shown in FIG. 2, the institution Pi and the user device U have a CPU 11, a controller 12, a memory 13, a communication device 14, a display 15, a keyboard 16, and a printer 17 connected to each other via a bus 18. Is a computer system connected via the Internet.

  Among these configurations, the memory 13 includes both a so-called main memory (RAM and the like) and a secondary storage device (hard disk and the like). The function read by the engine Pi is realized by the program read into the main memory and the control of the CPU 11 according to the program. In other words, each of the institutions P1 to Pn and the user device U have different configurations so as to perform the respective functions described above in terms of software. The detailed contents of each function composed of the combination of the hardware and the software will be described in detail in the following operation description.

  However, each of the institutions P1 to Pn only needs to have hardware for performing arithmetic processing on data received from the user device U and returning the result to the user device U. For example, the display 15, the keyboard 16, the printer 17, and the like are required. It may be omitted as appropriate. Similarly, in the user device U, for example, the printer 17 may be omitted.

Next, the operation of the secret sharing system configured as described above will be described.
((T, n) type secret sharing)
When each of the institutions P1 to Pn generates the public key (e, N) and the secret key d, the secret key d is converted into (2, n) type partial information based on the method of the document [BF97], and r + 1 of them is used. The pieces of partial information are distributed to the respective institutions P1 to Pn.

  Each of the institutions P1 to Pn shares two different prime factors p and q in the composite number N and a secret key d in the (n, n) type based on r + 1 pieces of partial information according to the method of [BF97]. ing.

  That is, as shown in FIG. 3, each institution Pi (1 ≦ i ≦ n) stores partial information di satisfying the following equation (8) (ST1).

d = d1 + d2 +... + dn (8)
Next, all the organizations Pi function as dealers of their own partial information di. That is, as shown in equation (9), all the organizations Pi have (t, n) type partial random number information Sj, l (0 ≦ j ≦ r, 0 ≦ l ≦ t) indicating their own partial information di. -2) is generated (ST2). Here, r = “log _t n”.

  Note that the process of generating the partial random number information Sj, l is equivalent to creating r + 1 independent polynomials indicating the partial information di of each institution Pi as shown below.

di = _S0,0 + _S0,1 + ... + S0 _{, t-2} + S0 _{, t-1}
= S _1,0 + S _1,1 + ... + S _{1, t-2} + S _{1, t-1}
=…
= S _{j, 0} + S _{j, 1} + ... + S _{j, t-2} + S _{j, t-1}
=…
= _{Sr, 0} + _{Sr, 1} + ... + _{Sr, t-2} + _{Sr, t-1}
Next, assuming that the identification number is z, all the organizations Pi share partial random number information S _{j, l} with each organization Pz (1 ≦ z ≦ n) as shown in steps ST3 to ST4 below. Each other.
That is, the identification number z of the engine Pz is converted into a t-ary number as shown in Expression (10) (ST3).
z = _βr, ^ztr + _βr-1, ^ztr-1 + ... + _βj, ^ztj + ... + β0 _{, z} ... (10)
For simplicity, equation (10) is represented as equation (11).
z (t) = _{βr, zβr-1, z} ... _{βj, z} ... β0 _{, z} ... (11)
Where the t-ary value β _{r, z} ∈ ｛0, ..., t-1｝
Further, each institution Pi transmits a set S including the following (r + 1) pieces of partial random number information to the institution Pz based on the t-ary value β for each digit t ^j in z (t) (ST4).

Each institution Pz obtains a partial sum by summing partial random number information Sj, l for each digit j based on the set S obtained from all institution Pi including itself, as shown in the following equation (12). Information dj, k is calculated (ST5). Here, k∈ ｛β _{r, z} β _{r-1, z} ... Β _{0, z} ｝, and 0 ≦ j ≦ r.

  Each institution Pz stores r + 1 pieces of partial information dj, k corresponding to the number of digits j (ST6). Note that the partial information dj, k is a subset of the secret key d.

The relationship between the secret key d and the partial secret key dj, k is as shown in the following equation (13).
_{d = d 0,0 + d 0,1 +} ... + d 0, t-1 (t 0 digit)
= D _1,0 + d _1,1 + ... + d _{1, t-1} (t ^1st digit)
=… (…)
= _{Dr, 0} + _{dr, 1} + ... + _{dr, t-1} ( ^tr digit) (13)
For example, the storage information of the organization z = 20 in the (3,27) type secret sharing is as follows.

r = “log ₃ 27” = 3
^{20 = 0 × 3 3 + 2} × 3 2 + 0 × 3 1 + 2 × 3 0
20 (3) = 0202 (Ternary notation)
Therefore, the engine P _20, of all the partial information shown in the following equation (14), corresponding to the ternary representation of the identification number z (0202) partial information _{(d 3,0, d 2,2, d} 1 _{, 0} , d _0,2 ).

d = d _3,0 + d _3,1 + d _3,2 ( ^3rd digit)
= D _2,0 + d _2,1 + d _2,2 (3rd ^2nd digit)
_{= D 1,0 + d 1,1 + d} 1,2 (3 1 digit)
_{= D 0,0 + d 0,1 + d} 0,2 (3 0 digit) (14)
(Distributed decoding)
Among the n institutions P1 to Pn, arbitrary t institutions Tz (this set is denoted by Λ) are encrypted with the public key (e, N) of the user device U in response to a decryption request from the user device U. The obtained data C = M ^e (mod N) is distributedly decoded as shown in steps ST11 to ST16 in FIG.

  That is, the user device U converts the identification numbers z of the t institutions Tz into t-adic notation as shown in Expression (15) (ST11).

z (t) = _{βr, zβr-1, z} ... β0 _{, z} ... (15)
Subsequently, the user apparatus U changes all the values β of the t-ary notation for each digit t ^j (0 ≦ j ≦ r) of the t-ary notation in the t engines Ta, Tb∈Λ (a ≠ b). It is determined whether there is a digit t ^j that satisfies the condition (β _{j, a} ≠ β _{j, b} ) (ST12).

When there is no digit t ^j that satisfies this condition, distributed decoding using the set Λ is impossible, so the institution Tz in the set Λ is slightly replaced (ST13), and the process is executed again from step ST11.

When in step ST2 is satisfying digit t ^j, the user device U transmits the encrypted data C to the engine Tz (ST14).

Each institution Tz decrypts the encrypted data C based on the partial information dj, k (k = βj, z) corresponding to t ^j digits, and obtains the obtained partial output Xz (= C ^{dj, k} (mod N)) to the user device U (ST15).

The user apparatus can combine the t partial outputs Xz (z∈Λ) received from each of the t organizations Tz (z∈Λ) as in equation (16) to restore the plaintext M (ST16). ).

The above operation is a case where the plaintext M is distributedly decrypted by sending the encrypted data C (= ^Me (mod N)) to each of the t institutions Tz. However, the present embodiment is not limited to this. As shown in FIG. 5, when the signature target data M is transmitted to the t institutions Tz instead of the encrypted data C (ST14a), the partial output Xz The signature M ^d (mod N) can also be obtained by combining (ST16a).
As described above, according to the present embodiment, each of the n institutions P1 to Pn generates a public key and a secret key d, and one (n, n) type generated based on the secret key d. Holds partial information di (0 ≦ i ≦ n), and when r is the smallest integer equal to or greater than the logarithm log _t n of n with base _t , this partial information di is represented by t of (t, n) type. (R + 1) partial random numbers Sj, of which r + 1 partial random numbers Sj are represented in the t-adic representation of the identification number z of each institution Pi (the value k of the t ^j digit, 0 ≦ k ≦ t−1, 0 ≦ j ≦ r) on the basis, respectively distributed to each engine P1 to Pn, these distributed n (r + 1) number of partial random numbers t ary weighing value t ^j every collectively r + 1 pieces of partial information dj, the k obtain.

  Subsequently, the user device U selects the t institutions Tz and transmits the encrypted data C (or the data to be signed), and the t institutions Tz partially encrypts the encrypted data C (or the data to be signed). The arithmetic processing is performed based on the information dj, k, and the obtained partial outputs Xz are respectively returned to the user device U. The user device U combines the t partial outputs Xz to obtain a decryption result (or signature result). .

  In this manner, distributed decryption and signatures can be realized by arbitrary t organizations out of n organizations without calculating a secret key in an environment where there is no distributor. Further, at the time of decoding distribution, the trouble of calculating the Lagrangian interpolation coefficient can be omitted, and high processing efficiency can be realized.

  Further, in the present embodiment, the input to the ciphertext can be held in advance as a table, and the processing efficiency of the calculation can be improved as compared with the method of the literature [FMY98], because the calculation of the Lagrangian interpolation coefficient is unnecessary. .

  Further, in the present embodiment, when storing the Lagrange interpolation coefficients corresponding to all the combinations as a table, the amount of information to be stored can be reduced as compared with the method of literature [FMY98].

For example, the method of literature [FMY98] performs distributed decoding using a threshold method based on Lagrangian interpolation. Here, rather than a simple sum of the partial information with a secret key d is a respective engine P1 to Pn, each institution Pj, the interpolation coefficients lambda _j of Lagrange described _above, it calculates the _lambda, it is necessary to synthesize. Therefore, when the interpolation coefficient λ _{j, Λ} is calculated in advance and stored in the table, _n C _t interpolation coefficients λ _{j, Λ} corresponding to all combinations of one piece of partial information and the participating organization Tz are calculated and stored. There is a need to.

On the other hand, in the present embodiment, partial information corresponding to a combination of institutions may be selected from “log _t n” +1 pieces of partial information. Therefore, the number of pieces of partial information to be stored is “log _t n” +1, which is a small amount of information.

  By the way, according to the method of the present embodiment, when the combination of t institutions is bad, the ciphertext may not be able to be distributedly decrypted. This case will be supplementarily described by taking a (3, 27) type secret sharing as an example. Now, it is assumed that the following r + 1 polynomials hold for the secret key d.

d = d _3,0 + d _3,1 + d _3,2 ( ^3rd digit)
= D _2,0 + d _2,1 + d _2,2 (3rd ^2nd digit)
_{= D 1,0 + d 1,1 + d} 1,2 (3 1 digit)
_{= D 0,0 + d 0,1 + d} 0,2 (3 0 digit)
First, a case where distributed decoding is possible will be described. The decryption operation C ^d = M ^ed = M succeeds when the institutions P ₂₀ , P ₂₃ , P _{26 of the} 27 institutions intervene in the distributed decoding protocol. Here, the ternary representation of the engine P _20, P _23, P _{26 is, P 20 = 0202, P 23} = 0212, a P ₂₆ = 0222, each storage information are as shown in FIG. 6 . Turning now to the 3 order ^of magnitude, (17) As shown in equation, it is possible to decode processing by d from _{d = d 1,0 + d 1,1 +} d 1,2.
C ^d1,0 · C ^d1,1 · C ^d1,2 = M ^ed
= M (mod N) (17)
However, in each engine P _20, P _23, P ₁₁ with P ₁₁ instead of P _23, decoded operation fails. That is, ternary representation of each _{institution, P 20 = 0202, P 23} = 0212, a P ₁₁ = 0102, each storage information is as shown in FIG.

In this case, the three pieces of partial information (d _{j, 0} + d _{j, 1} + d _{j, 2} ) constituting the secret key d are not aligned in any digit j, and any one of the partial information is duplicated (conflicted) by two or more institutions. )are doing. Due to the duplication of the partial information to be stored, distributed decoding may not be possible.

In this case, another t institutions need to be selected again.
Here, when the total number n of institutions is large and t or more institutions can be selected relatively freely, the (t, n) type secret sharing of the present embodiment is suitable. In other words, even if decoding becomes impossible when the total number n of institutions is large, t institutions P may be reorganized and the distributed decoding protocol may be performed again.

Conversely, when the number of n is small and there is no room for selecting the institution P, a method of creating relational expressions according to all combinations is suitable. For example, in the ElGamal cryptosystem, a technique has been proposed in which any t organizations out of n can decrypt a ciphertext encrypted with a group key (TP Pedersen, “A threshold cryptosystem without a trusted party ", Advances in Cryptology-Eurocrypt '91, LNCS 547, pp.522-526, 1991. (hereinafter referred to as literature [Ped91b]). That is, in order to perform a distributed decryption-key recovery in any t number of institutions like manner the literature [Ped91b], may be created to _n C _t independent relational expression regarding the secret key d. More specifically, in the case of a certain combination (Λ), distributed decoding is performed by a corresponding relational expression as shown in Expression (18).

d = d _{1, Λ} + d _{2, Λ} + ... + d _{t, Λ} (18)
However, in the method of the document [Ped91b], although there is no possibility of collision, the number of relational expressions becomes enormous in proportion to the total number n of engines. Therefore, it is preferable to minimize the number of independent polynomials in a range where the possibility of collision is low.

  Since each method has advantages and disadvantages, the method of the first embodiment (reorganization method), the method of using a relational expression in the method of the first embodiment, or the method of the second embodiment described later (interpolation method) It is preferable to select which one to use depending on the conditions such as the total number n of the institutions, the processing efficiency, the environment used, and whether or not the decoding process cannot be performed.

(Second embodiment)
Next, a second embodiment of the present invention will be described. Before that, an RSA common law misuse protocol as a premise of the present embodiment will be described.

In the RSA cryptosystem, one message M is encrypted under conditions using a common law N and mutually different public exponents e1 and e2, and two different ciphertexts C ₁ and C _{2 obtained} are obtained. Suppose there is. In this case, even if the prime factor of the composite number N is unknown, the message M can be restored from the _two ciphertexts C ₁ and C ₂ (GJ Simmons, “A 'weak' privacy protocol using the RSA cryptoalgolithm”, Cryptologia, vol. 7, pp. 180-182, 1983. (hereinafter referred to as reference [Sim83]).

In the method of this document [Sim83], the two ciphertexts C ₁ and C ₂ described above are obtained as shown in the following equations (19) to (20).

C ₁ = M ^e1 (mod N) (19)
C ₂ = M ^e2 (mod N) (20)
Here, different public exponent e1, e2 of the greatest common divisor gcd (e1, e2) = 1 when it, when the following steps STc1～STc3, can restore two ciphertext C _1, the message from the C ₂ M (DR Stinson, "CRYPTOGRAPHY: Theory and Practice", CRC Press, Inc. Boca Raton, Florida, USA, 1995. (hereinafter referred to as reference [Sti95])).

(Step STc1) a1 = e1 ^-1 (mode e2)
(Step STc2) a2 = (a1e1-1) / e2
(Step STc3) M = C ₁ ^a1 (C ₂ ^a2 ) ⁻¹ (mod N)
The above processing (Steps c1 to c3) is described as follows.

Common (e1, e2) → M
As described above, in the RSA encryption system, there is a protocol that can restore the message M when a predetermined condition is satisfied. This protocol is called the RSA Common Law Misuse Protocol.

  Next, a secret sharing system according to a second embodiment of the present invention will be described. In the present embodiment, a public key is created under a condition where an RSA common law misuse protocol such as literature [Sim83] and [Sti95] can be applied, and the partial information sj of the secret key d is distributed by the technique of literature [FMY98]. This is a (t, n) type secret sharing system.

The conditions under which the RSA common law misuse protocol is applicable correspond to satisfying all of the following (a) to (c).
(A) The message M is the same.
(B) Method N is common.
(C) The greatest common divisor gcd (e1, e2) of the public indexes (e1, e2) different from each other is 1.
However, in the following description, it is denoted public exponent a (e1, e2) and (L ^2, e). In addition, L which is the original public exponent L ² is, L = n! Instead of L = (n-1)! It may be.
The user device and each institution have the same hardware configuration as that shown in FIGS. 1 and 2, and their functions are different from those of the first embodiment, and will be described below.

As described above, each of the engines P1 to Pn will be described using an arbitrary engine Pi (where 1 ≦ i ≦ n) as a representative example.
The institution Pi has a function of creating partial information (pj, qj) of the law N based on the method of [FMY98], a function of distributing the partial information pj, qj to each of the institutions P1 to Pn, and a function of each institution. A function of generating a public key (e, N) based on (pj, qj) of Pj, a function of obtaining (t, n) type partial information sj from a secret key d, and a function of generating partial information (pj, qj), respectively. ) a function for holding and sj, and a function for returning the partial output Zj obtained by decoding the ciphertext received from the user ^{_{C (= C 2 = M e}} (mod N)) to the user device U .

The user device U has a function of selecting t institutions Tz out of n institutions, and a ciphertext C ₂ (= ^Me (mod N)) encrypted with the public key (e, N). a function of transmitting to the engine Tz of pieces, a function to obtain the ciphertext ^{_{C 1 (= M L2 (mod}} N)) by combining the partial output Zj received from each institution Tz, 2 two ciphertexts (M ^L2, It has a function of calculating the message M from M ^e ) using the above-mentioned RSA common law misuse protocol Common (L ² , e) → M.

Next, the operation of the secret sharing system configured as described above will be described.
((T, n) type secret sharing)
Each of the institutions mutually uses the secret key d as (t, n) type partial information and distributes the corresponding partial information sj individually to n institutions P1 to Pn based on the method of document [FMY98].

  Specifically, each institution Pj creates a component (pj, qj) of the law N and transmits it. Each institution Pj determines whether the composite N = (p1 + p2 +... + Pn) (q1 + q2 +... + Qn) of (pj, qj) received from each other institution Pj is a product of two different prime numbers, and If it is the product of

  Each institution Pj generates a public key (e, N) based on (pj, qj) and calculates partial information dj of the secret key d to be held by each institution Pj ((n, n) type secret sharing Done).

d = d1 + d2 + ... + dj + ... + dn
Next, each institution Pj converts the (n, n) secret key d into a (t, n) secret key d by the Sum-to-Poly technique ((t, n) secret sharing Done).

At this time, a polynomial such as equation (21) is determined for _t-1 random numbers {b1,... Bt _-1 } Z.
f (x) = d + b1x + b2x 2 + ... + b t-1 x t-1 ... (21)
This equation is a k-1 order polynomial using a y-intercept as a secret key d, and has a property uniquely determined from k coordinate points (j, f (j)) by Lagrangian interpolation. However, it is not uniquely determined from k-1 coordinate points, and any y-intercept is possible, and there is also a property that the secret key d cannot be obtained.

  Each institution Pj calculates f (j) by substituting its own identification number j (1 ≦ j ≦ n) of each institution P1 to Pn as an independent variable x into the above polynomial f (x), and f (x) The partial information sj (= f (j)) indicating the above y coordinate is obtained for each institution Pj.

  Each institution Pj stores the obtained (t, n) type partial information sj and previously stored partial information (pj, qj) of the prime factor pq of the modulus N. Although (n, n) type partial information dj is also held, it is not particularly used in the present embodiment.

(Distributed decoding)
Of the n institutions, arbitrary t institutions Tz (this set is denoted by Λ) are data encrypted with the public key (e, N) of the user device U in response to a decryption request from the user device U. C = M ^e a (mod N) dispersed decoded as shown in step ST21~ST24 in FIG. Here, L = n! The greatest common divisor gcd (e, L ² ) = 1.

That is, the user device U transmits the ciphertext ^{C (= M e (mod N} )) the t pieces of each institution Tj (∈Λ) (ST21).
Each institution Tj calculates a partial output Zj using its own partial information sj, and returns the obtained partial output Zj to the user device U as shown in the following equations (22) to (24) (ST22). ).

The user apparatus U combines the partial outputs Zj received from each of the t institutions Tj and calculates the ciphertext M ^L2 (mod N) as in the following equation (25) (ST23).

The user equipment U is the original ciphertext M ^e, from two different ciphertexts the ciphertext ^{M L2 (M L2, M e} ), RSA common modulus misuse Protocol Common to the aforementioned (L ^2, e) → The message M is calculated using M (ST24). Note that the present embodiment, the correspondence between the above-described protocol, it is a ^{(M L2, M e) =} (C 1, C 2), (L 2, e) = (e1, e2). Here, the RSA common law misuse protocol has soundness as shown in equation (26).

C1 ^a1 (C2 ^a2 ) ^-1 = ^ML2a1-ea2 = M (mod N) (26)
(Distributed signature)
Note that the user device U is not limited to the distributed decryption, and may cause t institutions Tz to perform the distributed signature.
In this case, as shown in FIG. 9, the user device U uses the signature target data S1 (= M) instead of the decryption target cipher text C (ST21a), and replaces the decryption result cipher text M ^L2 with: The signature result S2 (= (M ^d ) ^{L ^ 2} (mod N), where ^ is a symbol indicating a power) is used (ST23a).

Then, from (C ₁ , C ₂ ) = (M ^{dL ^ 2} , M) = ((M ^d ) ^{L ^ 2} , (M ^d ) ^e ), the user apparatus U uses the following RSA common method as described above. based on misuse protocol, to calculate a signature M ^d (ST24a).

a1 = (L ² ) ⁻¹ (mode)
a2 = (a1L ² -1) / e
M = C ₁ ^a1 (C ₂ ^a2 ) ⁻¹ (mod N)
Here, the RSA common law misuse protocol has soundness as shown in Expression (27).

C1 ^a1 (C2 ^a2 ) ⁻¹ = M ^{d (L2a1−ea2)}
= M ^d (mod N) (27)
(Modification of distributed signature)
The above-mentioned shared signature may be modified as shown in FIG. That is, after step ST23a, the user device U transmits the pair of the signature target data S1 and the signature result S2 to the other party's signature verification device (not shown) (ST25a).
The signature verification device calculates the first comparison data D1 (= ^Me (mod N)) from the signature target data S1 and the first public key (e, N), and calculates the signature result S2 and the second public key (e, N). ) Is used to calculate the second comparison data D2 (= ML ^{^ 2} (mod N)) (ST26a).

  Subsequently, the signature verification device executes an arithmetic process based on the first and second comparison data D1 and D2 and the RSA common method misuse protocol of the following equations (28) to (30) to obtain an output M ( ST27a).

a1 = (L ² ) ⁻¹ (mode) (28)
a2 = (a1L ² -1) / e (29)
M = D ₁ ^a1 (D ₂ ^a2 ) ⁻¹ (mod N) (30)
Here, when the output M matches the signature target data S1, the signature verification device recognizes the signature of the user device U as valid (ST28a).
As described above, according to the present embodiment, when the partial information sj of the secret key d is distributed to n institutions P1 to Pn in the RSA cryptosystem under the condition that the RSA common law misuse protocol can be applied, the user device U selects t institutes Tz and transmits the encrypted data C1, and each of the t institutes Tz calculates and processes the encrypted data C1 (= M ^e (mod N)). The output Zj is returned to the user apparatus, and the user apparatus U combines the t partial outputs Zj to obtain a decoding result C2 (= ML ² (mod N)), and also obtains the decoding result C2 and the processing target data C1. And an arithmetic process based on the RSA common law misuse protocol to obtain a final decryption result M.

  Accordingly, distributed decryption by any t institutions out of n institutions can be realized without calculating a secret key in an environment where there is no distributor, and Lagrange using a public key under a predetermined condition High reliability can be achieved based on the interpolation method.

Further, the signature target data S2 (= M) is used instead of the decryption target data C2, and the signature result S1 (= M ^{dL ^ 2} (mod N), where ^ is a symbol indicating a power) is used instead of the decryption result C1. by using, using an RSA common modulus misuse protocol, and performs arithmetic processing, obtaining the signature M ^d.

As a result, a distributed signature can be performed in the same manner as the distributed decryption.
That is, according to the present embodiment, by generating a public key under a predetermined condition, the decryption process and the signature process can be reliably executed regardless of the combination of the t institutions.

  It should be noted that the method of the present embodiment for realizing the above-described function in the non-dealer model and the document [FGMY97] for realizing the function (distributed decryption / distributed signature in (t, n) type) in the dealer model The method will be described in comparison.

  The system of the present embodiment is based on the Euclidean formula of the following equation (30), using α and β as coefficients, as in the system of document [FGMY97].

eα + L ² β = 1 (30)
However, gcd (e, L ² ) = 1

  In the method of the present embodiment, after the partial output Zj is combined at the time of decoding, M is calculated from the combined output by the Euclidean algorithm. Therefore, the processing efficiency is lower than the method of the document [FGMY97] by the amount of the M calculation processing. (In the method of document [FGMY97], since the dealer creates the Euclidean formula at the time of key distribution, the partial output of each organization is combined at the time of decryption, and the combined output becomes the message M).

However, the method of literature [FGMY97] requires a dealer who knows the Euler function φ (N) of N, and secretly distributes L ² k satisfying d≡P + L ² k (mod φ (N)) to a plurality of institutions. And share. Here, if the dealer loses the secret key d and the prime factors p and q, the secret key d cannot be recovered from the plurality of institutions. The reason is that even if L ² k is recovered, the secret key d cannot be calculated from L ² k because the modulus φ (N) is lost. However, P + L ² k congruent with d can be calculated by the modulus φ (N).

  That is, in the method of the document [FGMY97], distributed signature and distributed decryption can be performed in an environment where a dealer exists, but key recovery of d itself to the dealer cannot be performed. In the method of document [FGMY97], when performing key recovery, a document of a dealer model (TP Pedersen, “Distributed provers with applications to undeniable signatures”, Advances in Cryptology-Eurocrypt '91, LNCS 547, pp.221-238, 1991. It is necessary to use another system such as the system of (hereinafter referred to as reference [Ped91a]) or the system of reference [Oka97]. Here, when the positions of the conventional system and the present invention system in the distributed RSA encryption system are arranged, each system is classified as shown in FIG.

  On the other hand, in the environment of the present invention, in an environment where a dealer exists, distributed signature and distributed decryption can be realized by a combination with the document [Ped91a]. In an environment where a dealer does not exist, as described above, the combination with the document [FMY98] and the like can be realized. Thus, a distributed signature and a distributed decryption can be realized.

  Note that the first and second embodiments described above describe the case of an environment where there is no dealer, and therefore, Modifications 1 and 2 when applied to an environment where a dealer exists will be briefly described below. .

  That is, the first modification is a case where the first embodiment is applied to a dealer model. The user apparatus U as a dealer creates all the partial secret keys dj, k satisfying the expression (13), and Do the work of sorting. According to the first modification, the efficiency can be improved as much as the complicated processing of steps ST1 to ST4 described above can be omitted.

  Modification 2 is a case in which the second embodiment is combined with the document [Ped91a], and can perform the same function as the result of the combination with the document [FMY98].

  In other words, the present invention can be realized with (t, n) type secret sharing irrespective of the presence or absence of a dealer. The present invention is not limited to each of the above-described embodiments, and may be any t birds out of n birds. Functions that put birds in different birdhouses (K. Kurosawa and D. Stinson, Personal communication, June 1996 Referred in Desmedt's paper. (Y. Desmedt, “Some recent research aspects of threshold cryptography,” Information Security, LNCS 1396, pp. 158-173, 1997.)).

  The storage medium in the present invention can store programs such as a magnetic disk, floppy disk, hard disk, optical disk (CD-ROM, CD-R, DVD, etc.), magneto-optical disk (MO, etc.), semiconductor memory, etc., and As long as the storage medium is readable by a computer, the storage form may be any form.

  Further, an OS (Operating System) running on the computer based on an instruction of a program installed in the computer from the storage medium, MW (Middleware) such as database management software, network software, etc. realize the present embodiment. May be partially executed.

  Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted through a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the present embodiment is executed from a plurality of media is also included in the storage medium of the present invention, and any media configuration may be used.

  The computer according to the present invention executes each process according to the present embodiment based on a program stored in a storage medium, and includes a device such as a personal computer and a system in which a plurality of devices are connected to a network. Or any other configuration.

  Further, the computer in the present invention is not limited to a personal computer, but also includes an arithmetic processing unit, a microcomputer, and the like included in an information processing device, and is a general term for devices and devices that can realize the functions of the present invention by a program. .

Further, the present invention is not limited to the RSA encryption system, and may be applied to encryption systems other than the RSA encryption system as long as the encryption system is based on the prime factorization problem.
In addition, the present invention can be variously modified and implemented without departing from the gist thereof.

FIG. 1 is a schematic diagram illustrating a configuration of a secret sharing system according to a first embodiment of the present invention. FIG. 2 is a block diagram showing a hardware configuration of each institution and a user device in the embodiment. Flowchart for explaining secret sharing operation in the embodiment Flowchart for explaining a decoding operation in the embodiment Flowchart for explaining a signature operation in the embodiment Schematic diagram showing storage information of each institution for explaining a decryptable example in the embodiment Schematic diagram showing storage information of each institution for explaining an example in which decoding is impossible in the embodiment Flow chart for explaining a decoding operation in the second embodiment of the present invention Flowchart for explaining a signature operation in the embodiment Flowchart for explaining a deformation operation in the same embodiment Classification chart showing the positioning of the conventional method and the present method Schematic diagram showing a set of partial information stored in each institution in the conventional method Schematic diagram showing the combination of engines and partial information of the target in the conventional method

Explanation of reference numerals

  1: Network, U: User equipment, P1 to Pn, Pi: Organization

Claims (1)

  Used in an encryption system based on the prime factorization problem, partial final information of a secret key is distributed to n institutions, and any of the institutions is in an environment where it is impossible to calculate the secret key only with its own partial final information. At this time, a (t, n) type secret sharing system capable of generating a decryption result and a signature result without calculating the secret key by any t of the n institutions.

Images