JP2005346006A - System, device, and method for managing access right, program for terminal, and access right managing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To secure full security by avoiding the risk of data leakage in data decipherment, even when the access right to the data which is access restricted by encryption is transferred to another person. <P>SOLUTION: A terminal 1a enciphers data S by using (a)'s secret key R to generate enciphered data A=S*R, stores it, and transmits the enciphered data A to a terminal 1b. The terminal 1b, when it receives the enciphered data A, enciphers the enciphered data A by using (b)'s secret key R', generates enciphered data A'=A*R', and transmits the enciphered data A' to the terminal 1a. The terminal 1a, when it receives the enciphered data A', further enciphers the enciphered data A' by using the (a)'s secret key R, generates enciphered data A"=A'*R, and transmits the enciphered data A", from the terminal 1a to the terminal 1b. Thus, in the terminal 1b, the received enciphered data A" is deciphered by using (b)'s secret key to obtain the data S. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a security technique for transferring encrypted data to another person or transferring the access right of encrypted data to another person.

  Conventionally, there is a method of restricting access to data by encrypting it as one of methods for restricting access to data held by itself. For example, in order to prevent access by others to data that is desired to be kept secret or important confidential data, the data is encrypted and stored. In such a case, no one other than the owner of the encryption key can decrypt the encrypted data.

The prior art document information related to this application includes the following.
Electronic Commerce Demonstration Promotion Council Security WG, “Encryption Technology Handbook (Second Edition)”, [Online], [Search May 20, 2004], Internet <URL: http://www.ecom.jp/ qecom / seika / naiyou / 11report / e11-sec3.pdf>

  However, if you want to transfer the access authority of such encrypted data to another person (including the case where you want to transfer the encrypted data itself to another person, the same applies hereinafter), you can transfer your encryption key to another person. Except for the case of transfer, it is necessary that the encrypted data is once decrypted with its own encryption key, and then, after the transfer, another person needs to encrypt the data with its own encryption key. In this case, since the encrypted data is once decrypted and transferred in an unencrypted state, there is a problem that if the data leaks in this state, sufficient security cannot be ensured.

  The present invention has been made in view of the above circumstances, and avoids the risk of data leakage due to data decryption even when the access authority of data restricted by encryption is transferred to another person. It is an object of the present invention to provide an access right management system, an access right management device, an access right management method, a terminal program, and an access right management program that can sufficiently ensure security.

  In order to achieve the above object, the present invention according to claim 1 is provided with a plurality of terminals for encrypting data using a Burnham cipher, and an access right management system for managing transfer of access authority of the data between the terminals. And means for encrypting the data with a first encryption key of the assigning terminal and generating first encrypted data in the assigning terminal having an access authority for the data, and the first encrypted data Means for transmitting the access authority of the data from the assigning terminal to the assigning terminal, and encrypting the first encrypted data with the second encryption key of the assigning terminal in the assigning terminal, Means for generating second encrypted data; means for transmitting the second encrypted data from the assigning terminal to the assigning terminal; and in the assigning terminal, the assigning terminal Means for encrypting the second cipher data with the first cipher key to generate third cipher data; means for transmitting the third cipher data from the assigning terminal to the assigning terminal; The assigning-side terminal has means for storing the third encrypted data in a predetermined storage unit as data for which access authority has been assigned.

  According to a second aspect of the present invention, in the first aspect of the invention, the transfer side terminal decrypts the third encrypted data stored in the storage unit with the second encryption key, It has the means to produce | generate, It is characterized by the above-mentioned.

  The present invention according to claim 3 is an access right management device that is capable of mutual communication with a plurality of terminals and manages transfer of data access authority between the terminals using a Vernam cipher. Generating a first encryption key of a transfer-side terminal, encrypting the data with the first encryption key, and generating first encryption data; and storing the first encryption data in a predetermined storage unit Means for storing the transfer terminal as data having access authority, means for transmitting the first encryption key to the transfer terminal, and transferring the data access authority from the transfer terminal. The first encryption key is received, and the second encryption key of the transferee terminal that receives the data access authority is generated, and the first encryption data stored in the storage unit is received. Darkness of Means for encrypting with the key and the generated second encryption key to generate second encrypted data; means for storing the second encrypted data in the storage unit as data to which the transferee terminal has access authority; And means for transmitting the second encryption key to the transfer side terminal.

  According to a fourth aspect of the present invention, in the invention according to the third aspect, when the data is used, the second encryption key is received from the assigning terminal and stored in the storage unit. Means for decrypting the second encrypted data with the received second encryption key and generating the data.

The present invention according to claim 5 is an access right management apparatus that is capable of mutual communication with a plurality of terminals and manages transfer of data access rights between the terminals using a secret sharing method, wherein the secret sharing method Is a data division method that divides the data into a desired number of divided data based on a desired processing unit bit length, and generates a plurality of original partial data by dividing the data into processing unit bit lengths. Then, corresponding to each of the plurality of original partial data, a plurality of random part data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the data, and each divided data is configured. Each divided partial data to be generated is generated for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate divided data of a desired number of divisions and newly generated A plurality of random part data having a processing unit bit length from the random number generated, and generating a subdivision partial data for each processing unit bit length by exclusive OR of the divided part data and the random part data; Is a data division method for generating re-divided data of the number of divisions, generating a first random number of a transfer-side terminal having an access authority for the data, and using the secret sharing method from the first random number and the data Means for generating a plurality of pieces of divided data, means for transmitting a part of the plurality of pieces of divided data to the transfer side terminal, and transferring the remainder of the plurality of pieces of divided data to the transfer side terminal in a predetermined storage unit. Means for storing data having access authority, means for receiving a part of the divided data from the transfer side terminal, and Generating a second random number of the transferee terminal to which the authority is transferred, and using the secret sharing method from the second random number and a part of the received divided data and the remainder of the divided data stored in the storage unit, Means for generating a plurality of subdivision data; means for transmitting a part of the plurality of subdivision data to the assigning terminal;
And means for storing the remainder of the plurality of repartitioned data in the storage unit as data to which the transferee terminal has access authority.

  According to a sixth aspect of the present invention, in the fifth aspect of the present invention, when the data is used, means for receiving a part of the subdivision data from the assigning terminal, and the received subdivision data Means for restoring the data using the secret sharing method from a combination of a predetermined number of re-divided data that can be restored among a part and the remainder of the re-divided data stored in the storage unit It is characterized by.

  According to a seventh aspect of the present invention, in the invention according to the fifth or sixth aspect, the secret sharing method uses a new random number portion corresponding to the random number portion data as the random number portion data in the definition formula of each divided portion data. Each subdivision partial data is generated by a definition formula of each subdivision partial data replaced with data.

  The present invention according to claim 8 is an access right management method for managing transfer of access authority of the data between the terminals of an access right management system comprising a plurality of terminals for encrypting data using a Burnham cipher. In the assigning terminal having an access authority for the data, the step of encrypting the data with the first encryption key of the assigning terminal to generate the first encrypted data; and Transmitting the data access authority from the terminal to the assigning terminal, and encrypting the first encrypted data with the second encryption key of the assigning terminal in the assigning terminal, A step of generating data; a step of transmitting the second encrypted data from the transferee terminal to the transferee terminal; and Encrypting the second encrypted data with the first encryption key of the terminal to generate third encrypted data; and transmitting the third encrypted data from the assigning terminal to the assigning terminal. And storing the third encrypted data in a predetermined storage unit as the data to which the access right has been transferred, in the transfer-side terminal.

  The present invention according to claim 9 is an access right management method in which an access right management apparatus capable of mutual communication with a plurality of terminals manages transfer of data access rights between the terminals using Vernam encryption, Generating a first encryption key of the assigning terminal having data access authority, encrypting the data with the first encryption key, and generating first encrypted data; and The step of storing as data having access authority to the assigning terminal in a predetermined storage unit, the step of transmitting the first encryption key to the assigning terminal, and when transferring the access authority of the data, Receiving the first encryption key from the assigning terminal; generating a second encryption key of the assigning terminal to which the data access authority is assigned; and storing the first encryption key stored in the storage unit Encrypting encrypted data with the received first encryption key and the generated second encryption key to generate second encrypted data; and transferring the second encrypted data to a predetermined storage unit to the transfer-side terminal Storing as data having access authority and transmitting the second encryption key to the assigning terminal.

  The present invention according to claim 10 is an access right management method in which an access right management apparatus capable of mutual communication with a plurality of terminals manages transfer of access rights of data between the terminals using a secret sharing method, The secret sharing method is a data division method that divides the data into a desired number of division data based on a desired processing unit bit length, and divides the data into processing unit bit lengths, and generates a plurality of elements. Generating partial data, corresponding to each of the plurality of original partial data, generating a plurality of random number partial data of a processing unit bit length from a random number having a length equal to or shorter than the bit length of the data, Each divided partial data constituting the divided data is generated for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate divided data of a desired number of divisions. In addition, a plurality of random number partial data having a processing unit bit length is generated from a newly generated random number, and the re-divided partial data is obtained for each processing unit bit length by exclusive OR of the divided partial data and the random number partial data. A data dividing method for generating and generating the desired number of subdivision data, generating a first random number of a transfer side terminal having access authority for the data, and generating the first random number and the data A step of generating a plurality of pieces of divided data using the secret sharing method, a step of transmitting a part of the plurality of pieces of divided data to the transfer side terminal, and a remaining storage of the plurality of pieces of divided data Storing the data to which the assigning terminal has access authority, and receiving the part of the divided data from the assigning terminal when transferring the data access authority And generating a second random number of the transferee terminal to which the access authority of the data is transferred, from the second random number, a part of the received divided data, and the remainder of the divided data stored in the storage unit Using the secret sharing method, generating a plurality of subdivision data, transmitting a part of the subdivision data to the assigning terminal, and the rest of the subdivision data, Storing in the storage unit as data to which the transferee terminal has access authority.

  The present invention according to claim 11 is a terminal program for an access right management system comprising a plurality of terminals for encrypting data using a Burnham cipher, and managing access right transfer of the data between the terminals. Encrypting the data with the first encryption key of the assigning terminal to the assigning terminal having the data access authority, and generating the first encrypted data; and converting the first encrypted data into the data Transmitting the access right to the assigning terminal, receiving from the assigning terminal encrypted with the second encryption key of the assigning terminal, and receiving the generated second encrypted data; Encrypting the second encrypted data with a first encryption key to generate third encrypted data; and using the third encrypted data as access right transfer data And transmitting to the receiving side terminal, and wherein the to execution.

  The invention according to claim 12 is a terminal program for an access right management system comprising a plurality of terminals for encrypting data using a Burnham cipher, and managing access right transfer of the data between the terminals. A first encryption key generated by encrypting the data with a first encryption key of the assigning terminal from the assigning terminal having the data access authority to the assigning terminal that receives the data access authority; Receiving the data; encrypting the first encrypted data with a second encryption key of the assigning terminal; generating second encrypted data; and transferring the second encrypted data to the assigning terminal. Transmitting to the transfer-side terminal, receiving the generated third encrypted data by encrypting the second encrypted data with the first encryption key, and The serial third cipher data, and storing in a predetermined storage unit as data inherited access rights, characterized in that for the execution.

  According to a thirteenth aspect of the present invention, in the invention according to the twelfth aspect, the step of decrypting the third cipher data stored in the storage unit with the second cipher key and generating the data is the transfer. It is characterized by being executed by a side terminal.

  The present invention according to claim 14 is a computer-readable access right management program that can communicate with a plurality of terminals and manages transfer of data access rights between the terminals using Vernam encryption. Generating a first encryption key of the assigning terminal having access authority for the data, encrypting the data with the first encryption key, and generating first encrypted data; and Storing encrypted data in a predetermined storage unit as data to which the assigning terminal has access authority, transmitting the first encryption key to the assigning terminal, and transferring the data access authority Receiving the first encryption key from the assigning terminal, and generating a second encryption key of the assigning terminal that receives the data access authority, Encrypting the first encrypted data stored in the storage unit with the received first encryption key and the generated second encryption key to generate second encrypted data; and the second encrypted data And the step of storing the second encryption key in the predetermined storage unit as data to which the transferee terminal has access authority and the step of transmitting the second encryption key to the transferee terminal. .

  According to a fifteenth aspect of the present invention, in the invention according to the fourteenth aspect, when the data is used, the step of receiving the second encryption key from the assigning terminal and the data stored in the storage unit The second encryption data is decrypted with the received second encryption key and the data is generated. The computer is caused to execute.

  The present invention according to claim 16 is a computer-readable access right management program that can communicate with a plurality of terminals and manages the transfer of data access rights between the terminals using a secret sharing method. The secret sharing method is a data division method that divides the data into a desired number of division data based on a desired processing unit bit length, and divides the data into processing unit bit lengths, A plurality of original partial data is generated, and a plurality of random partial data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the data corresponding to each of the plurality of original partial data. Then, each divided partial data constituting each divided data is generated for each processing unit bit length by exclusive OR of the original partial data and the random number partial data, and the desired divided number of Generate split data and generate a plurality of random number part data with a processing unit bit length from the newly generated random number. For each processing unit bit length by exclusive OR of each of the divided part data and the random number part data. A data division method for generating repartitioned partial data to generate the desired number of repartitioned data, generating a first random number of a transfer-side terminal having access authority for the data, Generating a plurality of pieces of divided data from the random number and the data using the secret sharing method; transmitting a part of the plurality of pieces of divided data to the transfer side terminal; and remaining of the plurality of pieces of divided data Are stored in a predetermined storage unit as data to which the transfer side terminal has access authority, and when transferring the access authority of the data, Receiving a part of the divided data; generating a second random number of the transferee terminal to which the access authority of the data is transferred; storing the second random number, a part of the received divided data, and the storage unit; Generating a plurality of subdivision data using the secret sharing method from the rest of the subdivided data, transmitting a part of the plurality of subdivision data to the assigning terminal, and Storing the remainder of the re-divided data in the storage unit as data to which the assigning terminal has access authority.

  According to a seventeenth aspect of the present invention, in the invention of the sixteenth aspect, when the data is used, a step of receiving a part of the re-divided data from the transfer side terminal; Restoring the data from the combination of a predetermined number of re-divided data that can be restored out of a part of the re-divided data stored in the storage unit using the secret sharing method. It is made to perform.

  The present invention according to claim 18 is the invention according to claim 16 or 17, wherein the secret sharing method uses a random number part data in a definition formula of each divided part data as a new random number part corresponding to the random number part data. Each subdivision partial data is generated by a definition formula of each subdivision partial data replaced with data.

  According to the present invention, there are provided a plurality of terminals for encrypting using the Burnham cipher, and the first encryption data encrypted with the first encryption key in the assigning terminal that assigns data access authority is used in the assigning terminal. The third encryption data is generated by encrypting the second encryption data with the first encryption key at the transfer-side terminal, and encrypting the second encryption data with the second encryption key. Since the data is transferred to the transferee terminal, even if the access authority of the data restricted by encryption is transferred to another person, the data authority can be transferred without being decrypted once, and sufficient security is ensured. Can do.

  In addition, according to the present invention, the access right management device includes a plurality of terminals and an access right management device that encrypts data using the Burnham cipher, and the access right management device encrypts data with the first encryption key for the assigning terminal. The first encryption data is managed, and the first encryption key is managed by the transfer side terminal. When the data access right is transferred, the access right management device uses the first encryption key for the transfer-side terminal and the second encryption key for the transfer-side terminal. Since the data is further encrypted, the second encrypted data is managed, and the second encryption key is managed by the transferee terminal, even when the access authority of the data restricted by encryption is transferred to another person , Data authority can be transferred without decryption, and sufficient security can be secured.

  Further, according to the present invention, the access right management device includes a plurality of terminals and an access right management device that encrypts using the secret sharing method, and the access right management device divides the data by the secret sharing method using the random number of the assigning terminal. Data is generated, and a part of the divided data is managed by the transfer side terminal and the rest is managed by the access right management device. Then, when the data access authority is transferred from the assigning terminal to the assigning terminal, the access right management device generates the repartitioned data from the divided data by the secret sharing method using the new random number of the assigning terminal. However, since a part of the divided data is managed by the assigning terminal and the rest is managed by the access right management device, even if the access authority of the data restricted by encryption is transferred to another person, it is not decrypted once Data authority can be transferred to and security can be sufficiently secured.

  In particular, the secret sharing method in the present invention is a data division method that divides data into divided data of a desired number of divisions based on a desired processing unit bit length. And generating a plurality of random part data having a processing unit bit length from a random number having a length equal to or shorter than the bit length of the data, corresponding to each of the plurality of original part data, Each divided partial data constituting each divided data is generated for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate a desired number of divided data and newly generated A plurality of random part data having a processing unit bit length from the obtained random number, and subdivision partial data for each processing unit bit length by exclusive OR of each divided part data and the random part data Generated and, because it generates the re-division data of a desired number of divisions, without restoring the data, the data can be subdivided and can manage the data of the user more secure.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

<First Embodiment>
FIG. 1 is a diagram showing a schematic configuration of an access right management system 10 according to the first embodiment of the present invention.

  As shown in FIG. 1, an access right management system 10 connects client terminals (hereinafter simply referred to as terminals) 1i (i = a, b) provided by a user via a communication network 2 such as the Internet. Each terminal 1i can communicate with each other. In the present embodiment, the following description will be given assuming that the user of the terminal 1a is the former (data transfer side) and the user of the terminal 1b is the second party (data transfer side) of the pair of terminals.

  Each terminal 1i is a device that performs encryption and decryption of data using Vernam encryption, and includes a storage unit 11, a data encryption unit 12, a data decryption unit 13, and a communication unit 14.

  Here, the Burnham cipher prepares a random number sequence having the same length as the data, performs an exclusive OR operation (XOR) on the nth bit of the data and the nth bit of the random number sequence, and decrypts it. Is an encryption method that performs an exclusive OR operation (XOR) of the nth bit of the encrypted data and the nth bit of the random number sequence. Hereinafter, the exclusive OR operation (XOR) is represented by an operation symbol “*”, and the operation results in the operation rule for each bit of the exclusive OR operation are as follows.

The operation result of 0 * 0 is 0
The result of 0 * 1 is 1
The result of 1 * 0 is 1
The result of 1 * 1 is 0
In addition, the XOR operation has an exchange law and a joint law. That is,
a * b = b * a
It is mathematically proved that (a * b) * c = a * (b * c) holds.

  Also, a * a = 0, a * 0 = 0 * a = a holds. Here, a, b, and c represent bit strings having the same length, and 0 represents a bit string having the same length and consisting of all “0”.

  The storage unit 11 stores data S that the user wants to restrict access, an encryption key (decryption key) R for encrypting the data S, encrypted data, and the like. In FIG. 1, the former encryption key is denoted by R, and the second encryption key is denoted by R 'to distinguish the two. The data lengths of the data S, the encryption key R, and the encryption key R ′ are the same.

  The data encryption unit 12 encrypts the data S with the encryption key R to generate the encrypted data A, and the data decryption unit 13 decrypts the encrypted data A with the encryption key R to generate the data S. It is like that. That is, A = S * R for encryption, S = A * R for decryption, and the encrypted data A generated by the exclusive OR operation of the data S and the encryption key R Data S is restored by performing an exclusive OR operation with the encryption key R.

  Further, as will be described later, the data encryption unit 12 not only encrypts the data S, but also encrypts the encrypted data A ′ sent from the other terminal 1 i with its own encryption key R. It has become. Further, as will be described later, the data decryption unit 13 can decrypt the encrypted data A ′ sent from the other terminal 1i with its own encryption key R, and thus the access-restricted data. Can be transferred.

  The communication unit 14 transmits and receives encrypted data between the terminals 1i.

  Here, the terminal 1i described above is an electronic device having a central processing unit (CPU) having at least a calculation function and a control function, and a main storage device (memory) including a RAM having a function of storing programs and data. It is comprised from. In addition to the main storage device, the apparatus may include an auxiliary storage device such as a hard disk.

  Among these, the data encryption part 12, the data decryption part 13, and the communication part 14 are nothing but what specifically showed the calculation control function by said CPU. The storage unit 11 has functions of the main storage device and the auxiliary storage device.

  A program for executing various processes according to the present embodiment is stored in the main storage device or the hard disk described above. The program can be recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO, or a DVD-ROM, or can be distributed via a communication network.

  Next, the operation of the access right management system 10 according to the present embodiment will be described with reference to FIG. Here, FIG. 2 is a sequence diagram showing exchange of data between the terminal 1a and the terminal 1b when the data authority of the data encrypted by the user A is transferred to the second party.

  First, in the terminal 1a, the encrypted data A obtained by encrypting the data S using the former encryption key R is generated and stored in the storage unit 11 (steps S10 and S20). Here, A = S * R.

  Next, when the access authority of the data S is transferred, the encrypted data A is transmitted from the transfer terminal 1a to the terminal 1b (step S30).

  Upon receiving the encrypted data A, the terminal 1b further encrypts the encrypted data A using the second encryption key R 'to generate the encrypted data A' (step S40). That is, A '= A * R'.

  Next, the encrypted data A 'is transmitted from the terminal 1b to the terminal 1a (step S50).

  Upon receiving the encrypted data A ′, the terminal 1a further encrypts the encrypted data A ′ using the former encryption key R to generate the encrypted data A ″ (step S60), that is, A ″ = A ′. * R.

  Next, the encrypted data A ″ is transmitted from the terminal 1a to the terminal 1b as data to which the access authority has been transferred (step S70).

  In the terminal 1b, the received encrypted data A ″ is stored in the storage unit 11 as data to which the access authority has been transferred (step S80).

Next, when the encrypted data A ″ is decrypted by the terminal 1b, the decrypted data S is generated using the second encryption key R ′ (step S90).
A "= A '* R
= (A * R ') * R
= ((S * R) * R ') * R
= S * R * R '* R
= S * (R * R) * R '
= S * 0 * R '
= S * R '
Therefore, by the exclusive OR of the received encrypted data A ″ and the encryption key R ′,
A ″ * R ′ = (S * R ′) * R ′ = S
By becoming. Since A ″ = S * R ′, the encrypted data A ″ cannot be decrypted with the former encryption key R.

  Therefore, according to the access right management system 10 according to the present embodiment, the terminals 1a and 1b that encrypt using the Burnham cipher are provided, and encryption is performed with the encryption key R in the transfer-side terminal 1a that transfers the data access authority. The encrypted data A is encrypted with the encryption key R ′ at the terminal 1b on the transfer side to obtain the encrypted data A ′, and the encrypted data A ′ encrypted with the encryption key R at the terminal 1a. Since the encrypted data A ″ is transferred to the terminal 1b, the data authority can be transferred without being decrypted once even when the access authority of the data restricted by encryption is transferred to another person. Sufficient security can be secured.

<Second Embodiment>
FIG. 3 is a diagram showing a schematic configuration of the access right management system 20 according to the second embodiment of the present invention.

  As shown in FIG. 3, the access right management system 20 connects a client terminal (hereinafter simply referred to as a terminal) 3 i (i = a, b) provided by a user and the access right management server 4 via the communication network 2. Each terminal 3i and the access right management server 4 can communicate with each other. In the present embodiment, the following description will be made assuming that the user of the terminal 3a is the former (data authority transfer side) and the user of the terminal 3b is the user (data authority transfer side) of the pair of terminals.

  Each terminal 3 i is a terminal that holds data S whose access is to be restricted, and includes a storage unit 31 and a communication unit 32.

  The storage unit 31 stores data S whose access is to be restricted, an encryption key R transmitted from the access right management server 4 (an encryption key used for data encryption of a user having data authority), and the like. It has become. In FIG. 1, the former encryption key is denoted by R, and the second encryption key is denoted by R 'to distinguish the two. The data lengths of the data S, the encryption key R, and the encryption key R ′ are the same.

  The communication unit 32 transmits and receives data between the terminal 3 i and the access right management server 4.

  The access right management server 4 is a device that performs encryption and decryption of data using Vernam encryption, and includes an encrypted data storage unit 41, a key generation unit 42, a data encryption unit 43, a data decryption unit 44, and a communication unit 45. I have.

  The encrypted data storage unit 41 includes the encrypted data A encrypted by the data encryption unit 43 (the encrypted data in case where the user has access authority for the data S), A ″ (when the user has the access authority for the data S) The second party's encryption data).

  The key generation unit 42 generates encryption keys (decryption keys) R and R ′ used for encryption by the data encryption unit 43.

  The data encryption unit 43 encrypts the data S transmitted (sent) from the terminal 3a using the former encryption key R, and generates encrypted data A. Further, when the authority of the data S is transferred from the first party to the second party, the encrypted data A is further encrypted by using the first encryption key R and the second encryption key R ′ to generate the encrypted data A ″. The encryption keys R and R ′ used for encryption are transmitted to the terminals 3a and 3b via the communication unit 45, respectively.

  When the encryption key R ′ is transmitted from the user to whom the data authority has been transferred, that is, the second party, the data decryption unit 44 decrypts the encrypted data A ″ using the encryption key R ′ and transmits the data S to the communication unit 45 is sent (sent) to the terminal 3b.

  The communication unit 45 transmits and receives data between the terminal 1 i and the access right management server 4.

  Here, the terminal 3i and the access right management server 4 described above each include a central processing unit (CPU) having at least a calculation function and a control function, a main storage device (RAM) having a function of storing programs and data, and the like. The electronic device has a memory. In addition to the main storage device, the apparatus may include an auxiliary storage device such as a hard disk.

  Among these, the communication unit 32 of the terminal 3i, the key generation unit 42, the data encryption unit 43, the data decryption unit 44, and the communication unit 45 of the access right management server 4 specifically show the calculation control function by the CPU. It is none other than. The storage unit 31 of the terminal 3i and the encrypted data storage unit 41 of the access right management server 4 have the functions of the main storage device and the auxiliary storage device.

  A program for executing various processes according to the present embodiment is stored in the main storage device or the hard disk described above. The program can be recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO, or a DVD-ROM, or can be distributed via a communication network.

  Next, the operation of the access right management system 20 according to the present embodiment will be described with reference to FIG. Here, FIG. 4 is a sequence diagram showing exchange of data between the terminals 3a and 3b and the access right management server 4 when the data authority of the data S is transferred from the former to the second party.

  First, if the user A has access authority for the data S, the data S is transmitted from the terminal 3a of the user A to the access management server 4 (step S110). When transmitting the data S, a secure communication network 2a (for example, a LAN, an IP-VPN, a dedicated line, a telephone line, etc., not an open communication network 2b such as the Internet network) that prevents leakage of communication contents is used. In addition, instead of communication via the communication network 2a, for example, sending means such as mail may be used.

  When the access right management server 4 receives the data S from the terminal 3a, the access right management server 4 generates an encryption key R of the former A and generates encryption data A = S * R using the encryption key R (steps S120 and S130). Then, the encryption data A is stored in the encryption data storage unit 41, and the encryption key R is transmitted to the instep terminal 3a via the communication network 2 (steps S140 and S150).

  Upon receiving the encryption key R from the access right management server 4, the terminal 3a stores the encryption key R in the storage unit 31 (step S160).

  With the above operation, the access right to the data S of the former is managed by the access right management server 4.

  Next, when Party A transfers the access authority for data S to Party B, access request for transferring the data access right from Party A to Party B and the encryption key R are accessed from the terminal 3a of Party A via the communication network 2. It transmits to the right management server 4 (step S210).

  When the access right management server 4 receives an access right transfer request from the terminal 3 a to the second party and the encryption key R, the access right management server 4 generates the second encryption key R ′ and stores the encrypted data A stored in the encrypted data storage unit 41. Then, encrypted data A ″ = A * R * R ″ is generated using the encryption keys R and R ′ (steps S220 and S230). Then, the encryption data A ″ is stored in the encryption data storage unit 41, and the encryption key R ′ is transmitted to the terminal 3b of the second party via the communication network 2 (steps S240 and S250).

  Upon receiving the encryption key R ′ from the access right management server 4, the terminal 3 b stores the encryption key R ′ in the storage unit 31 (Step S <b> 260).

  With the above operation, the access authority for the data S is transferred from Party A to Party B.

  Next, when the second party uses the data S, the use request of the data S and the encryption key R 'are transmitted from the terminal 3b to the access management server 4 via the communication network 2 (step S310).

When the access right management server 4 receives the use request of the instep data S and the encryption key R ′ from the terminal 3b, the access right management server 4 decrypts the encryption data A ″ stored in the encryption data storage unit 41 using the encryption key R ′, Data S is generated (step S320).
A "= A * R * R '
= (S * R) * R * R '
= S * R * R * R '
= S * (R * R) * R '
= S * 0 * R '
= S * R '
Because
A ″ * R ′ = (S * R ′) * R ′
= S * R '* R'
= S
Thus, data S is obtained. Then, the decrypted data S is transmitted to the user's terminal 3b via the secure communication network 2a or sending means (step S330).

  When the terminal 3b receives the data S from the access management server 4, the terminal 3b stores the data S in the storage unit 31 (step S340). As a result, the second party can use the data S at the terminal 3b.

  Therefore, the access right management system 20 according to the present embodiment includes the access right management server 4 that encrypts data using the Burnham cipher and the terminals 3a and 3b. The data S of the user A of the assigning terminal 3a that transfers the data is encrypted with the encryption key R of the user A, the encrypted data A is managed, and the encryption key A is managed by the terminal 3a. When the access right of the data S is transferred from the user A to the user B of the terminal 3b on the receiving side, the access right management server 4 uses the encryption key R of the user A and the encryption key R ′ of the user B to encrypt the data. A is further encrypted, encrypted data A ″ is managed, and the encryption key A is managed by the terminal 3b. Therefore, even when the access authority of the data whose access is restricted by the encryption is transferred to another person, it is once decrypted Data authority can be transferred without security, and sufficient security can be secured.

<Third Embodiment>
(System configuration)
FIG. 5 is a diagram showing a schematic configuration of an access right management system 30 according to the third embodiment of the present invention.

  As shown in FIG. 5, the access right management system 30 connects a client terminal (hereinafter simply referred to as a terminal) 3 i (i = a, b) provided by the user and the access right management server 5 via the communication network 2. Each terminal 3i and the access right management server 5 can communicate with each other. The access right management server 5 is connected to a plurality of data storage server computers (hereinafter simply referred to as storage servers) 6a and 6b that are independent of each other in terms of hardware. . In the present embodiment, the following description will be made assuming that the user of the terminal 3a is the former (data authority transfer side) and the user of the terminal 3b is the user (data authority transfer side) of the pair of terminals.

  Each terminal 3 i is a terminal that holds data S whose access is to be restricted, and includes a storage unit 31 and a communication unit 32.

  The storage unit 31 stores data S whose access is to be restricted, divided data D (3) transmitted from the access right management server 5, and the like. That is, the encryption key R is transmitted in the second embodiment, but the difference is that the divided data D (3) is transmitted in the present embodiment. In FIG. 1, the divided data of the former A is indicated by D (3), and the divided data of the former A is indicated by D '(3) to distinguish them.

  The communication unit 32 transmits and receives data between the terminal 3 i and the access right management server 5.

  The access right management server 5 divides the data S for which the user is authorized into a plurality of data using a secret sharing method (hereinafter referred to as secret sharing method A) based on a unique secret sharing algorithm, which will be described later. The storage servers 6a and 6b and the terminal 3a are stored respectively. In FIG. 1, the access right management server 5 is divided into three divided data D (1), D (2), and D (3), and each is stored in a plurality of storage servers 6a and 6b and the terminal 3a. It is like that.

  Further, when transferring the data authority of the data S from Party A to Party B, the access right management server 5 uses the above-mentioned secret sharing method A to divide the data D (1), D (2), D (3 ) To generate re-divided data D ′ (1), D ′ (2), D ′ (3) and store them in a plurality of storage servers 6a, 6b and terminal 3b.

  In this embodiment, the case where the data S is divided and stored is described as an example. However, the present invention is not limited to the case where the data S is divided into three, and is divided into n (n = 2). It is also applied to the case of the above integer). Further, the divided data stored in the terminal 3i is not limited to one and may be plural. In this embodiment, the divided data D (1), D (2) (repartitioned data D ′ (1), D ′ (2)) are stored in the storage server 6 and the divided data D (3) (repartitioned). Data D ′ (3)) is assigned to terminal 3i, but any divided data may be assigned to any storage server 6 and terminal 3i. Furthermore, in the present embodiment, a part of the divided data (repartitioned data) is stored in the storage servers 6a and 6b, but may be managed in the access right management server 5.

  Specifically, the access management server 5 generates a random number R used to generate a plurality of divided data D from the data S and a random number R ′ used to generate the re-divided data D ′. 51, a divided data generation unit 52 that divides data S into a plurality of divided data D using secret sharing method A, and a plurality of divided data D using secret sharing method A when transferring data authority from Party A to Party B A re-divided data generator 53 for generating a plurality of re-divided data D ′ from the data, a data restoring unit 54 for recovering the data S from the plurality of re-divided data D ′ using the secret sharing method A, and the terminal 3i 6a and 6b are provided with a communication unit 55 for transmitting and receiving data.

  Here, the terminal 3i, the access right management server 5 and the storage servers 6a and 6b described above are respectively a central processing unit (CPU) having at least a calculation function and a control function, a RAM having a function for storing programs and data, and the like. It is comprised from the electronic apparatus which has the main memory device (memory) which consists of. In addition to the main storage device, the apparatus may include an auxiliary storage device such as a hard disk.

  Among them, the communication unit 32 of the terminal 3i, the random number generation unit 51 of the access right management server 5, the divided data generation unit 52, the subdivision data generation unit 53, the data restoration unit 54, and the communication unit 55 are controlled by the CPU. It is nothing but a specific example of the function. In addition, the storage unit 31 and the storage servers 6a and 6b of the terminal 3i have the functions of the main storage device and the auxiliary storage device.

  A program for executing various processes according to the present embodiment is stored in the main storage device or the hard disk described above. The program can be recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO, or a DVD-ROM, or can be distributed via a communication network.

(Secret sharing method A)
Here, the secret sharing method A based on the unique secret sharing algorithm in the present embodiment will be described.

  In the division and restoration of the original data (corresponding to the data S) in the present embodiment, the original data is divided into divided data of a desired number of divisions based on the desired processing unit bit length. In this case, the processing unit bit length Can be set to any value, and the original data is divided into processing unit bit lengths, and the divided partial data is generated from this original partial data by a number one less than the number of divisions, so that the bit length of the original data is If it does not match an integer multiple of (divided number -1) times the processing unit bit length, the bit length of the original data is set to the processing unit bit length (divided number -1 by filling in 0 at the end of the original data. ) This embodiment can be applied by adjusting to an integral multiple of times.

  The random numbers described above are also generated from the random number generator 51 as (partition number-1) random number partial data having a bit length of the processing unit bit length corresponding to each of the (partition number-1) original partial data. Is done. That is, the random numbers are divided into processing unit bit lengths, and are generated as (partition number-1) random number partial data having a bit length of the processing unit bit length. Further, the original data is divided into a desired number of divided data based on the processing unit bit length, and each of the divided data also corresponds to each of the (division number-1) original partial data. It is generated as (partition number -1) pieces of divided partial data having a bit length. That is, each piece of divided data is divided into processing unit bit lengths, and is generated as (partition number-1) pieces of divided partial data having a bit length of the processing unit bit length.

  In the following description, the above-described original data, random numbers, divided data, number of divisions, and processing unit bit length are represented by S, R, D, n, and b, respectively, and one of a plurality of data, random numbers, and the like. I (= 1 to n) and j (= 1 to n-1) are used as variables to represent one, (division number n-1) original partial data, (division number n-1) random number partial data , And one of each of the divided data D of the number n of divisions is represented by S (j), R (j) and D (i), respectively, and a plurality of ( The divided partial data of (n-1) is represented by D (i, j). That is, S (j) represents the j-th original partial data when the original data S is numbered in order from the top by dividing the processing unit bit length from the top.

  When this notation is used, the original data, random number data, and divided data, and the original partial data, random number partial data, and divided partial data that constitute these, respectively, are represented as follows.

Original data S = (n-1) original partial data S (j)
= S (1), S (2), ..., S (n-1)
Random number R = (n-1) random number partial data R (j)
= R (1), R (2), ..., R (n-1)
n divided data D (i) = D (1), D (2),..., D (n)
Each partial data D (i, j)
= D (1,1), D (1,2), ..., D (1, n-1)
D (2,1), D (2,2), ..., D (2, n-1)
………
D (n, 1), D (n, 2), ..., D (n, n-1)
(i = 1 ~ n), (j = 1 ~ n-1)
In the present embodiment, an exclusive OR operation (XOR) of the original partial data and the random number partial data is performed on the plurality of partial data divided for each processing unit bit length as described above. The original data is divided using a definition formula consisting of exclusive OR (XOR) of data and random number partial data, and a method of using a polynomial or a remainder operation for the above data division processing Compared with, it uses the exclusive OR (XOR) operation, which is a bit operation suitable for computer processing, and does not require high-speed and high-performance processing power, and it is simple operation even for large volumes of data. The divided data can be generated by repeating the processing, and the storage capacity required for storing the divided data can be made smaller than the multiple capacity proportional to the divided number. Further, the divided data is generated by stream processing in which calculation processing is performed in order from the top of the data for each predetermined fixed length.

  Next, the operation of the secret sharing method A in the present embodiment will be described with reference to drawings such as flowcharts, but the definitions of symbols shown in FIGS. 6 to 10 and FIG. 12 will be described before this description.

(1) Π _{i = 1} ⁿ A (i) means A (1) * A (2) *... A (n).

  (2) c (j, i, k) is (n-1) × (n-1) matrix U [n-1, n-1] × (P [n-1, n-1]) ^ It is defined as the value of i row and k column of (j-1).

  At this time, Q (j, i, k) is defined as follows.

When c (j, i, k) = 1 Q (j, i, k) = R ((n-1) × m + k)
Q (j, i, k) = 0 when c (j, i, k) = 0
However, m represents an integer of m ≧ 0.

(3) U [n, n] is an n × n matrix, and the value of i rows and j columns is represented by u (i, j).
When i + j <= n + 1, u (i, j) = 1
When i + j> n + 1, u (i, j) = 0
It means that the matrix is “upper triangular matrix”. Specifically, the matrix is as follows.

(4) P [n, n] is an n × n matrix, and the value of i rows and j columns is represented by p (i, j).
When j = i + 1, p (i, j) = 1
p (i, j) = 1 when i = 1, j = n
For other cases p (i, j) = 0
It means that the matrix is “rotation matrix”. Specifically, the matrix is as follows, and when multiplied from the right side of another matrix, the first column of the other matrix is changed to the second column, the second column to the third column,. Is moved to the nth column, and the nth column is moved to the first column. That is, when the matrix P is applied to another matrix a plurality of times from the right side, each column can be moved so as to rotate rightward by that number of times.

  (5) If A and B are n × n matrices, A × B means the product of the matrices A and B. The calculation rules for the matrix components are the same as those used in normal mathematics.

  (6) When A is an n × n matrix and i is an integer, A ^ i means i products of the matrix A. A ^ 0 means the unit matrix E.

(7) The unit matrix E [n, n] is an n × n matrix, and the value of i rows and j columns is represented by e (i, j).
e (i, j) = 1 when i = j
For other cases e (i, j) = 0
Let's mean a matrix that is Specifically, the matrix is as follows. Let A be any n × n matrix
A × E = E × A = A
It has the property to be

  Next, with reference to the flowchart shown in FIG. 6 and the specific data shown in FIGS. 7 and 8, the division process of the original data S will be described first. This explains the function of the divided data generation unit 52 of the access right management server 5.

  First, the original data S is given to the access right management server 5 (step S201 in FIG. 6). In this example, the original data S is 16 bits “10110010 00110111”.

  Next, the access right management server 5 instructs the division number n to be 3 (step S203). Note that the three pieces of divided data generated by the access right management server 5 in accordance with the division number n = 3 are D (1), D (2), and D (3). The divided data D (1), D (2), and D (3) are all 16-bit data that is the same as the bit length of the original data.

  Then, the processing unit bit length b used for dividing the original data S is determined to be 8 bits (step S205). The processing unit bit length b may be specified by the user from the terminal 3 to the access right management server 5 or may be a value predetermined in the access right management server 5. The processing unit bit length b may be an arbitrary number of bits, but here, it is 8 bits that can divide the original data S. Therefore, the original data S of the above 16-bit “10110010 00110111” is divided into “10110010” when the two original divided data S (1) and S (2) are divided by the 8-bit processing unit bit length. And “00110111”.

  In the next step S207, it is determined whether or not the bit length of the original data S is an integer multiple of 8 × 2, and if it is not an integer multiple, the end of the original data S is padded with zeros to obtain 8 × 2 Fit to an integer multiple. Note that the division processing when the processing unit bit length b is set to 8 bits and the division number n is set to 3 as in this example is not limited to 16 bits as the bit length of the original data S. This is effective for the original data S that is an integral multiple of the length b × (number of divisions n−1) = 8 × 2.

  Next, in step S209, the variable m, that is, the variable m meaning the integer multiple described above is set to zero. As in this example, when the original data S has a processing unit bit length b × (number of divisions n−1) = 8 × 2 = 16 bits, the variable m is 0, but is doubled to 32 bits. In this case, the variable m is 1, and in the case of 3 times 48 bits, the variable m is 2.

  Next, it is determined whether or not there is data for 8 × 2 bits from the 8 × 2 × m + 1 bit of the original data S (step S211). This is because the division processing shown after step S211 is performed on the processing unit bit length b × (number of divisions n−1) = 8 × 2 = 16 bits specified by the variable m of the original data S, It is determined whether or not there is the next 16 bits as data S. In the case where the original data S is 16 bits as in this example, when the dividing process after step S211 is performed once on the 16-bit original data S, the variable m is incremented by 1 in step S219 described later. However, in the original data S of this example, there is no data of 17 bits or more corresponding to the case where the variable m is m + 1, so the process proceeds from step S211 to step S221. In this case, however, the variable m is Since it is 0, the 8 × 2 × m + 1 bit of the original data S is 8 × 2 × 0 + 1 = 1, and the data is 8 × 2 bits from the first 16 bits of the original data S. Since it exists, it progresses to step S213.

  In step S213, the variable j is changed from 1 to 2 (= number of divisions n-1), and 8 bits (= processing unit bits) from the 8 × (2 × m + j-1) +1 bit of the original data S Data) is set to the original partial data S (2 × m + j), thereby dividing the original data S by the processing unit bit length 2 (number of divisions n-1) original partial data S (1) , S (2) is generated as follows.

Original data S = S (1), S (2)
First original partial data S (1) = “10110010”
Second original partial data S (2) = “00110111”
Next, the variable j is changed from 1 to 2 (= division number n-1), and a random number of 8 bits length generated from the random number generator 51 is set in the random number partial data R (2 × m + j). Thus, 2 (division number n-1) random number partial data R (1) and R (2) obtained by dividing the random number R by the processing unit bit length are generated as follows (step S215).

Random number R = R (1), R (2)
First random number partial data R (1) = “10110001”
Second random number partial data R (2) = “00110101”
Next, in step S217, the variable i is changed from 1 to 3 (= number of divisions n), and the variable j is further changed from 1 to 2 (= number of divisions n-1) in each variable i, as shown in step S217. Each divided partial data D (i, 2 × m + j) that constitutes each of the plurality of divided data D (i) by a definition formula consisting of exclusive OR of the original partial data and random number partial data for generating the divided data ) Is generated. As a result, the following divided data D is generated.

Split data D
= 3 pieces of divided data D (i) = D (1), D (2), D (3)
First divided data D (1)
= 2 pieces of partial data D (1, j) = D (1,1), D (1,2)
= "00110110", "10110011"
Second divided data D (2)
= 2 pieces of partial data D (2, j) = D (2,1), D (2,2)
= "00000011", "00000010"
Third divided data D (3)
= 2 pieces of partial data D (3, j) = D (3,1), D (3,2)
= "10110001", "00110101"
Note that the definition formula shown in step S217 for generating each divided partial data (i, j) is specifically described in the table shown in FIG. 8 when the division number n = 3 as in this example. Will be. From the table shown in FIG. 8, the definition formula for generating the divided partial data D (1,1) is S (1) * R (1) * R (2), and the definition formula for D (1,2) Is S (2) * R (1) * R (2), the definition of D (2,1) is S (1) * R (1), and the definition of D (2,2) is S (2) * R (2), the defining formula for D (3,1) is R (1), and the defining formula for D (3,2) is R (2). The table shown in FIG. 8 also describes general definition formulas for arbitrary integers when m> 0.

  In this way, after the divided data D is generated for the variable m = 0 which means an integer multiple, the variable m is then incremented by 1 (step S219), the process returns to step S211 and the original data S corresponding to the variable m + 1 is returned. However, since the original data S in this example is 16 bits and there is no data after 17 bits, the process proceeds from step S211 to step S221 and is generated as described above. The divided data D (1), D (2), and D (3) are stored in the storage server 6 and the terminal 3, respectively, and the division process ends. The divided data D (1), D (2), D (3) stored in this way cannot be estimated as original data alone.

  Here, the divided data generation processing based on the definition formula in step S217 in the flowchart of FIG. 6 described above, specifically, the divided data generation processing when the number of divisions n = 3 will be described in detail.

  First, in the case of a variable m = 0 meaning an integer multiple, each divided partial data D constituting each of the divided data D (i) = D (1) to D (3) from the definition formula shown in step S217. (i, 2 × m + j) = D (i, j) (i = 1 to 3, j = 1 to 2) is as follows.

D (1,1) = S (1) * Q (1,1,1) * Q (1,1,2)
D (1,2) = S (2) * Q (2,1,1) * Q (2,1,2)
D (2,1) = S (1) * Q (1,2,1) * Q (1,2,2)
D (2,2) = S (2) * Q (2,2,1) * Q (2,2,2)
D (3,1) = R (1)
D (3,2) = R (2)
Specifically, Q (j, i, k) included in the above four formulas among the above six formulas is obtained.

When c (j, i, k) is a value of i rows and k columns of U [2,2] × (P [2,2]) ^ (j-1) which is a 2 × 2 matrix, Is defined as

When c (j, i, k) = 1 Q (j, i, k) = R (k)
Q (j, i, k) = 0 when c (j, i, k) = 0
here,
When j = 1

When j = 2

  If this is used, each division | segmentation partial data D (i, j) is produced | generated by the following definitional expressions.

D (1,1) = S (1) * Q (1,1,1) * Q (1,1,2) = S (1) * R (1) * R (2)
D (1,2) = S (2) * Q (2,1,1) * Q (2,1,2) = S (2) * R (1) * R (2)
D (2,1) = S (1) * Q (1,2,1) * Q (1,2,2) = S (1) * R (1) * 0 = S (1) * R (1 )
D (2,2) = S (2) * Q (2,2,1) * Q (2,2,2) = S (2) * 0 * R (2) = S (2) * R (2 )
The definition formula for generating each of the divided partial data D (i, j) is also shown in FIG.

  FIG. 7 shows the original data from the respective data, definition formulas, and divided partial data when the 16-bit original data S is divided into three with the division number n = 3 based on the 8-bit processing unit bit length as described above. It is a table | surface which shows the calculation formula in the case of decompress | restoring.

  Here, the divided data D (1), D (2), D (3) and the respective divided partial data D (1,1), D (1,2), D (2,1), The process of generating D (2,2), D (3,1), and D (3,2) and the general form of the definition formula will be described.

  First, for the first divided data D (1), the first divided partial data D (1,1) is defined by the definition formula S (1) * R (1) * R (2) described above. Then, the second divided partial data D (1, 2) is defined by the definition formula S (2) * R (1) * R (2). The general form of this defining formula is S (j) * R (j) * R (j + 1) for D (1, j), and for D (1, j + 1) S (j + 1) * R (j) * R (j + 1) (j is an odd number). When calculated according to the definition formula, D (1,1) is 00110110 and D (1,2) is 10110011, so D (1) is 00100110 10110011. The general form of the definition formula is collectively shown in FIG.

  For the second divided data D (2), D (2,1) is defined by S (1) * R (1), and D (2,2) is S (2) * R ( Defined in 2). The general form of this definition is S (j) * R (j) for D (2, j) and S (j + 1) * R for D (2, j + 1) (j + 1) (j is an odd number). When calculated according to the definition formula, D (2,1) becomes 00000011 and D (2,2) becomes 00000010, so D (2) is 00000011 00000010.

  Further, for the third divided data D (3), D (3,1) is defined by R (1) and D (3,2) is defined by R (2). The general form of this definition is R (j) for D (3, j) and R (j + 1) for D (3, j + 1) (j is an odd number) To do). When calculated according to the definition formula, D (3,1) is 10110001, D (3,2) is 00110101, and D (3) is 10110001 00110101.

  In the above description, the length of S, R, D (1), D (2), D (3) is 16 bits. Even from the original data S, the divided data D (1), D (2), and D (3) can be generated. In addition, the processing unit bit length b can be arbitrarily set, and the original data having an arbitrary length, specifically, processing is performed by repeating the above division processing for each length of b × 2 in order from the top of the original data S. The present invention can be applied to original data having an integral multiple of the unit bit length b × 2. If the length of the original data S is not an integral multiple of the processing unit bit length b × 2, for example, the length of the original data S is set to the processing unit bit length b × 2 by filling the end portion of the data with 0, for example. The division processing of this embodiment described above can be applied by adjusting to an integral multiple of.

  Next, a process for restoring the original data from the divided data will be described with reference to the table shown on the right side of FIG. This indicates that the original data can be restored from the divided data.

  First, the access right management server 5 is requested to restore the original data S. The access right management server 5 acquires the divided data D (1), D (2), D (3) from the storage server 6 and the terminal 3, and the acquired divided data D (1), D (2), D The original data S is restored from (3) as follows.

  First, the first original partial data S (1) can be generated from the divided partial data D (2,1) and D (3,1) as follows.

D (2,1) * D (3,1) = (S (1) * R (1)) * R (1)
= S (1) * (R (1) * R (1))
= S (1) * 0
= S (1)
Specifically, since D (2,1) is 00000011 and D (3,1) is 10110001, S (1) is 10110010.

  Further, the second original partial data S (2) can be generated from the other divided partial data as follows.

D (2,2) * D (3,2) = (S (2) * R (2)) * R (2)
= S (2) * (R (2) * R (2))
= S (2) * 0
= S (2)
Specifically, since D (2,2) is 00000010 and D (3,2) is 00110101, S (2) is 00110111.

In general, let j be an odd number
D (2, j) * D (3, j) = (S (j) * R (j)) * R (j)
= S (j) * (R (j) * R (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D (2, j) * D (3, j).

In general, j is an odd number,
D (2, j + 1) * D (3, j + 1) = (S (j + 1) * R (j + 1)) * R (j + 1)
= S (j + 1) * (R (j + 1) * R (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D (2, j + 1) * D (3, j + 1).

  Next, when acquiring D (1) and D (3) and restoring S, it is as follows.

D (1,1) * D (3,1) * D (3,2) = (S (1) * R (1) * R (2)) * R (1) * R (2) = S ( 1) * (R (1) * R (1)) * (R (2) * R (2))
= S (1) * 0 * 0
= S (1)
Therefore, S (1) can be obtained by calculating D (1,1) * D (3,1) * D (3,2). Specifically, since D (1,1) is 00110110, D (3,1) is 1010001, and D (3,2) is 0110101, S (1) is 10110010.

Similarly,
D (1,2) * D (3,1) * D (3,2) = (S (2) * R (1) * R (2)) * R (1) * R (2)
= S (2) * (R (1) * R (1)) * (R (2) * R (2))
= S (2) * 0 * 0
= S (2)
Therefore, S (2) can be obtained by calculating D (1,2) * D (3,1) * D (3,2). Specifically, since D (1,2) is 10110011, D (3,1) is 10110001, and D (3,2) is 00110101, S (2) is 00110111.

In general, let j be an odd number
D (1, j) * D (3, j) * D (3, j + 1) = (S (j) * R (j) * R (j + 1)) * R (j) * R (j +1)
= S (j) * (R (j) * R (j)) * (R (j + 1) * R (j + 1))
= S (j) * 0 * 0
= S (j)
Therefore, S (j) can be obtained by calculating D (1, j) * D (3, j) * D (3, j + 1).

In general, j is an odd number,
D (1, j + 1) * D (3, j) * D (3, j + 1) = (S (j + 1) * R (j) * R (j + 1)) * R (j) * R (j + 1)
= S (j + 1) * (R (j) * R (j)) * (R (j + 1) * R (j + 1))
= S (j + 1) * 0 * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D (1, j + 1) * D (3, j) * D (3, j + 1).

  Next, when acquiring D (1) and D (2) and restoring S, it is as follows.

D (1,1) * D (2,1) = (S (1) * R (1) * R (2)) * (S (1) * R (1))
= (S (1) * S (1)) * (R (1) * R (1)) * R (2)
= 0 * 0 * R (2)
= R (2)
Therefore, R (2) is obtained by calculating D (1,1) * D (2,1). Specifically, since D (1,1) is 00110110 and D (2,1) is 00000011, R (2) is 00110101.

Similarly,
D (1,2) * D (2,2) = (S (2) * R (1) * R (2)) * (S (2) * R (2))
= (S (2) * S (2)) * R (1) * (R (2) * R (2))
= 0 * R (1) * 0
= R (1)
Therefore, R (1) is obtained by calculating D (1,2) * D (2,2). Specifically, since D (1,2) is 10110011 and D (2,2) is 00000010, R (1) is 10110001.

  Using these R (1) and R (2), S (1) and S (2) are obtained.

D (2,1) * R (1) = (S (1) * R (1)) * R (1)
= S (1) * (R (1) * R (1))
= S (1) * 0
= S (1)
Therefore, S (1) can be obtained by calculating D (2,1) * R (1). Specifically, since D (2,1) is 00000011 and R (1) is 10110001, S (1) is 10110010.

Similarly,
D (2,2) * R (2) = (S (2) * R (2)) * R (2)
= S (2) * (R (2) * R (2))
= S (2) * 0
= S (2)
Therefore, S (2) can be obtained by calculating D (2,2) * R (2). Specifically, since D (2,2) is 00000010 and R (2) is 00110101, S (2) is 00110111.

In general, let j be an odd number
D (1, j) * D (2, j) = (S (j) * R (j) * R (j + 1)) * (S (j) * R (j))
= (S (j) * S (j)) * (R (j) * R (j)) * R (j + 1)
= 0 * 0 * R (j + 1)
= R (j + 1)
Therefore, R (j + 1) can be obtained by calculating D (1, j) * D (2, j).

Similarly,
D (1, j + 1) * D (2, j + 1) = (S (j + 1) * R (j) * R (j + 1)) * (S (j + 1) * R (j +1))
= (S (j + 1) * S (j + 1)) * R (j) * (R (j + 1) * R (j + 1))
= 0 * R (j) * 0
= R (j)
Therefore, R (j) can be obtained by calculating D (1, j + 1) * D (2, j + 1).

  Using these R (j) and R (j + 1), S (j) and S (j + 1) are obtained.

D (2, j) * R (j) = (S (j) * R (j)) * R (j)
= S (j) * (R (j) * R (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D (2, j) * R (j).

Similarly,
D (2, j + 1) * R (j + 1) = (S (j + 1) * R (j + 1)) * R (j + 1)
= S (j + 1) * (R (j + 1) * R (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) is obtained by calculating D (2, j + 1) * R (j + 1).

  As described above, when the divided data is repeatedly generated from the beginning of the original data based on the processing unit bit length b to generate divided data, the three divided data D (1), D (2), D ( Even if not all of 3) is used, the original data can be restored as described above using two divided data of the three divided data. That is, even if the terminal 3 loses the divided data, the original data can be restored from the other divided data stored in the storage server 6.

  In the access right management server 5 according to the present embodiment, since three pieces of divided data D (1), D (2), D (3) are generated, the number of divisions is three. However, the secret sharing method A can be applied even when the number of divisions is n.

  Next, a general division process when the number of divisions is n and the processing unit bit length is b will be described with reference to the flowchart shown in FIG.

  First, the original data S is given to the access right management server 5 (step S401). Further, the access right management server 5 is instructed for the division number n (an arbitrary integer satisfying n ≧ 3) (step S403). The processing unit bit length b is determined (step S405). Note that b is an arbitrary integer greater than 0. Next, it is determined whether or not the bit length of the original data S is an integer multiple of b × (n−1). If it is not an integer multiple, the end of the original data S is filled with 0 (step S407). Further, a variable m meaning an integer multiple is set to 0 (step S409).

  Next, it is determined whether or not there is data of b × (n−1) bits from the b × (n−1) × m + 1 bit of the original data S (step S411). As a result of this determination, if there is no data, the process proceeds to step S421. However, in this case, since the variable m is set to 0 in step S409, the data exists, so step S413. Proceed to

  In step S413, the variable j is changed from 1 to n-1, and b bits ((n-1) × m + j-1) +1 bit data of the original data S is converted into the original partial data S. ((n-1) × m + j) is repeated, whereby (n-1) pieces of original partial data S (1), S (2 ),... S (n-1) is generated.

  Next, the variable j is changed from 1 to n-1, and the random number of the processing unit bit length b generated from the random number generation unit 51 is set in the random number partial data R ((n-1) × m + j). Thus, n-1 random number partial data R (1), R (2),... R (n-1) obtained by dividing the random number R by the processing unit bit length b are generated (step S415).

  Next, in step S417, while changing the variable i from 1 to n and further changing the variable j from 1 to n-1 in each variable i, a plurality of definition expressions for generating the divided data shown in step S417 are used. Each divided partial data D (i, (n−1) × m + j) constituting each of the divided data D (i) is generated. As a result, divided data D as shown below is generated.

Split data D
= n pieces of divided data D (i) = D (1), D (2), ... D (n)
First divided data D (1)
= n-1 divided partial data D (1, j) = D (1,1), D (1,2), ... D (1, n-1)
Second divided data D (2)
= n-1 divided partial data D (2, j) = D (2,1), D (2,2), ... D (2, n-1)
………
………
N-th divided data D (n)
= n-1 divided partial data D (n, j) = D (n, 1), D (n, 2), ... D (n, n-1)
In this way, after generating the divided data D for the variable m = 0, the variable m is then incremented by 1 (step S419), and the process returns to step S411 to return b × (n of the original data S corresponding to the variable m = 1. -1) Similar division processing is performed for the bits after the bit. Finally, if there is no data in the original data S as a result of the determination in step S411, the process proceeds from step S411 to step S421, and the divided data D (1),..., D (n) generated as described above are stored in the storage server 6. Then, the data is stored in the terminal 3 and the dividing process is terminated.

  In the embodiment described above, the random number component may be lost by performing an operation between the partial data constituting only the divided data. That is, for example, in the case of three divisions, each divided partial data is defined as follows.

D (1,1) = S (1) * R (1) * R (2), D (1,2) = S (2) * R (1) * R (2),…
D (2,1) = S (1) * R (1), D (2,2) = S (2) * R (2),…
D (3,1) = R (1), D (3,2) = R (2),…
Looking at D (1), for example, if D (1,1) and D (1,2) can be acquired,
D (1,1) * D (1,2) = (S (1) * R (1) * R (2)) * (S (2) * R (1) * R (2))
= S (1) * S (2) * ((R (1) * R (1)) * ((R (2) * R (2))
= S (1) * S (2) * 0 * 0
= S (1) * S (2)
It becomes. In general, D (1, j) * D (1, j + 1) = S (j) * S (j + 1). Here, j is j = 2 × m + 1, and m is an arbitrary integer satisfying m ≧ 0.

  D (1,1) and D (1,2) are generated by the calculation of the original data and random numbers based on the above definition. However, although the contents of the original data are not known, S (1) * S (2) is calculated by calculating D (1,1) * D (1,2). This is not the original data itself, but does not include a random number component.

  If the random component is lost in this way, for each original partial data, for example, if part of S (2) is known, part of S (1) can be restored, so it is not safe. Conceivable. For example, the original data is data according to a standardized data format, and S (2) includes header information and padding (for example, a part of the data area padded with 0), etc. If it is a part, it includes keywords specific to these data formats, fixed character strings, and the like, so the contents can be predicted. Further, a part of S (1) can be restored from the known part of S (2) and the value of S (1) * S (2).

  The method for solving this problem is as follows. D (1, j + 1) and D (2, j + 1) in FIG. 10 are obtained by replacing D (1, j + 1) and D (2, j + 1) in FIG. Here, j is j = 2 × m + 1, and m is an arbitrary integer satisfying m ≧ 0.

In this case, with only the individual divided data, the random number component is not lost even if the calculation is performed between the divided partial data constituting the divided data. This is from FIG.
D (1, j) * D (1, j + 1) = (S (j) * R (j) * R (j + 1)) * (S (j + 1) * R (j + 1))
= S (j) * S (j + 1) * R (j) * ((R (j + 1) * R (j + 1))
= S (j) * S (j + 1) * R (j) * 0
= S (j) * S (j + 1) * R (j)
D (2, j) * D (2, j + 1) = (S (j) * R (j)) * (S (j + 1) * R (j) * R (j + 1))
= S (j) * S (j + 1) * (R (j) * R (j)) * R (j + 1))
= S (j) * S (j + 1) * 0 * R (j + 1)
= S (j) * S (j + 1) * R (j + 1)
D (3, j) * D (3, j + 1) = R (j) * R (j + 1)
Because it becomes.

  In this case, the characteristic that the original data can be restored from two of the three divided data is not lost. When D (1) and D (2) are acquired and S is restored, D (1) and D (2) in FIG. 10 are D (1) and D (2) in FIG. Since the divided part data constituting the data is merely replaced, the original data can obviously be restored from these, and D (1) and D (3) or D (2) and D (3) When acquiring and restoring S, since D (3) is divided data consisting only of random numbers, it is exclusive with the required number of random numbers for each divided partial data of D (1) or D (2). This is because by performing the logical sum operation, the original data can be restored by deleting the random number portion.

  Next, a re-division process for generating new division data (re-division data) by giving a random number to the division data once divided will be described. This is to explain the function of the subdivision data generation unit 53 of the access right management server 5, and also in this case, the case where the division number is 3 will be described as an example.

  FIG. 11 is a flowchart for explaining an outline of the data re-division processing. According to the figure, first, the divided data D (1), D (2), D (3) are acquired (step S601), and then the random number generator 51 generates a random number R ′ to be used for re-division. (Step S603).

  Next, a random number R 'is injected into each of the divided data D (1), D (2), D (3) according to a predetermined rule (step S605). This is the exclusive OR of the divided data of the divided data D (1), D (2), D (3) and the random data of the random number R ′ according to the rules described later. R is deleted, and new divided data D ′ (1), D ′ (2), and D ′ (3) are generated (steps S607 and S609).

  FIG. 12 shows the definition formula of divided partial data when the original data S is divided into three with the division number n = 3 based on the processing unit bit length b that is half the length of the original data, after reinjection of the random number R ′ 4 is a table showing a definition formula of the divided partial data, a definition formula of the divided partial data after erasing the random number R, a calculation formula when restoring the original data from each divided partial data, and the like.

  Here, the definition formula of the divided partial data D (i, j) will be described.

  First, as shown in FIG. 10, for the first divided data D (1), the first divided partial data D (1,1) is defined as S (1) * R (1) * R. The second divided partial data D (1, 2) is defined by the definition formula S (2) * R (2). The general form of this defining formula is S (j) * R (j) * R (j + 1) for D (1, j), and for D (1, j + 1) S (j + 1) * R (j + 1) (j is an odd number).

  For the second divided data D (2), as shown in FIG. 10, D (2,1) is defined by S (1) * R (1), and D (2,2) is Defined by S (2) * R (1) * R (2). The general form of this definition is S (j) * R (j) for D (2, j) and S (j + 1) * R for D (2, j + 1) (j) * R (j + 1) (j is an odd number).

  Furthermore, for the third divided data D (3), as shown in FIG. 10, D (3,1) is defined by R (1) and D (3,2) is defined by R (2). Is done. The general form of this definition is R (j) for D (3, j) and R (j + 1) for D (3, j + 1) (j is an odd number) To do).

  Next, the definition formula of the divided partial data D ′ (i, j) after the new random number R ′ is injected will be described.

  First, as shown in FIG. 12, for the first divided data D ′ (1), the first divided partial data D ′ (1,1) is defined by the definition formula D (1,1) * R ′. (1) * R '(2), that is, S (1) * R (1) * R (2) * R' (1) * R '(2) (1,2) is defined by the definition formula D (1,2) * R ′ (2), that is, S (2) * R (2) * R ′ (2). Note that the general form of this defining formula is D (1, j) * R '(j) * R' (j + 1) for D '(1, j), and D' (1, j +1) is D (1, j + 1) * R ′ (j + 1) (j is an odd number).

  For the second divided data D ′ (2), as shown in FIG. 12, D ′ (2,1) is D (2,1) * R ′ (1), that is, S (1 ) * R (1) * R '(1) and D' (2,2) is D (2,2) * R '(1) * R' (2), that is, S (2) * R (1) * R (2) * R '(1) * R' (2) is defined. The general form of this definition is D (2, j) * R '(j) for D' (2, j) and D (2 for D '(2, j + 1) , j + 1) * R ′ (j) * R ′ (j + 1) (j is an odd number).

  For the third divided data D ′ (3), as shown in FIG. 12, D ′ (3,1) is D (3,1) * R ′ (1), that is, R (1 ) * R ′ (1) and D ′ (3,2) is defined by D (3,2) * R ′ (2), that is, R (2) * R ′ (2). The general form of this definition is D (3, j) * R '(j) * for D' (3, j) and D (3, j + 1) for D '(3, j + 1). 3, j + 1) * R ′ (j + 1) (j is an odd number).

  Next, the definition formula of the divided partial data from which the old random number R is deleted will be described.

  First, as shown in FIG. 12, for the first divided data D ′ (1), the first divided partial data D ′ (1,1) is defined by the definition formula (S (1) * R (1) * R (2) * R '(1) * R' (2)) * (R (1) * R (2)), that is, S (1) * R '(1) * R' ( 2), the second divided partial data D ′ (1,2) is defined by the definition formula (S (2) * R (2) * R ′ (2)) * R (2), that is, S ( 2) It is defined by * R '(2). The general form of this defining formula is S (j) * R '(j) * R' (j + 1) for D '(1, j), and D' (1, j + 1 ) Is S (j + 1) * R ′ (j + 1) (j is an odd number).

  For the second divided data D ′ (2), as shown in FIG. 12, D ′ (2,1) is (S (1) * R (1) * R ′ (1) ) * R (1), that is, S (1) * R '(1), and D' (2,2) is defined as (S (2) * R (1) * R (2) * R '( 1) * R ′ (2)) * R (1) * R (2), that is, S (2) * R ′ (1) * R ′ (2). The general form of this definition is S (j) * R '(j) * for D' (2, j) and S (j + 1) for D (2, j + 1) ) * R ′ (j) * R ′ (j + 1) (j is an odd number).

  For the third divided data D ′ (3), as shown in FIG. 12, D ′ (3,1) is (R (1) * R ′ (1)) * R (1 ), That is, R ′ (1), and D ′ (3,2) is defined as (R (2) * R ′ (2)) * R (2), that is, R ′ (2). . The general form of this definition is R '(j) * for D' (3, j) and R '(j + 1) for D (3, j + 1) ( j is an odd number).

  In this way, the re-partitioned partial data D ′ (i, j) is respectively random number partial data R that has been injected into the divided partial data D (i, j) by the definition formula of the divided partial data D (i, j). After injecting random number partial data R '(j) corresponding to (j), inject random number partial data R (j) so as to erase random number partial data R (j) and calculate exclusive OR. , What you want.

  As a result, in the definition formula of the original divided partial data D (i, j), the random partial data R (j) replaced with the random partial data R ′ (j) is the re-divided partial data D ′ (i , j).

  Next, a process for restoring the original data from the repartitioned data will be described with reference to the table shown on the right side of FIG. This explains the function of the original data restoration unit 54 of the access right management server 5.

  First, the first original partial data S (1) can be generated from the divided partial data D ′ (2,1), D ′ (3,1) as follows.

D '(2,1) * D' (3,1) = (S (1) * R '(1)) * R' (1)
= S (1) * (R '(1) * R' (1))
= S (1) * 0
= S (1)
Further, the second original partial data S (2) can be generated from the other divided partial data as follows.

D '(2,2) * D' (3,1) * D '(3,2) = (S (2) * R' (1) * R '(2)) * R' (1) * R '(2)
= S (2) * (R '(1) * R' (1)) * (R '(2) * R' (2))
= S (2) * 0 * 0
= S (2)
In general, let j be an odd number
D '(2, j) * D' (3, j) = (S (j) * R '(j)) * R' (j)
= S (j) * (R '(j) * R' (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D ′ (2, j) * D ′ (3, j).

In general, j is an odd number,
D '(2, j + 1) * D' (3, j) * D '(3, j + 1) = (S (j + 1) * R' (j) * R '(j + 1)) * R '(j) * R' (j + 1)
= S (j + 1) * (R '(j) * R' (j)) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0 * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (2, j + 1) * D ′ (3, j) * D ′ (3, j + 1).

  Next, when D ′ (1) and D ′ (3) are acquired and S is restored, it is as follows.

D '(1,1) * D' (3,1) * D '(3,2) = (S (1) * R' (1) * R '(2)) * R' (1) * R '(2)
= S (1) * (R '(1) * R' (1)) * (R '(2) * R' (2))
= S (1) * 0 * 0
= S (1)
Therefore, S (1) can be obtained by calculating D ′ (1,1) * D ′ (3,1) * D ′ (3,2).

Similarly,
D '(1,2) * D' (3,2) = (S (2) * R '(2)) * R' (2)
= S (2) * (R '(2) * R' (2))
= S (2) * 0
= S (2)
Therefore, S (2) can be obtained by calculating D '(1,2) * D' (3,2).

In general, let j be an odd number
D '(1, j) * D' (3, j) * D '(3, j + 1) = (S (j) * R' (j) * R '(j + 1)) * R' ( j) * R '(j + 1)
= S (j) * (R '(j) * R' (j)) * (R '(j + 1) * R' (j + 1))
= S (j) * 0 * 0
= S (j)
Therefore, S (j) can be obtained by calculating D ′ (1, j) * D ′ (3, j) * D ′ (3, j + 1).

In general, j is an odd number,
D '(1, j + 1) * D' (3, j + 1) = (S (j + 1) * R '(j + 1)) * R' (j + 1)
= S (j + 1) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (1, j + 1) * D ′ (3, j + 1).

  Next, when D ′ (1) and D ′ (2) are acquired and S is restored, it is as follows.

D '(1,1) * D' (2,1) = (S (1) * R '(1) * R' (2)) * (S (1) * R '(1))
= (S (1) * S (1)) * (R '(1) * R' (1)) * R '(2)
= 0 * 0 * R '(2)
= R '(2)
Therefore, R ′ (2) can be obtained by calculating D ′ (1,1) * D ′ (2,1).

Similarly,
D '(1,2) * D' (2,2) = (S (2) * R '(2)) * (S (2) * R' (1) * R '(2))
= (S (2) * S (2)) * (R '(2) * R' (2)) * R '(1)
= 0 * 0 * R '(1)
= R '(1)
Therefore, R ′ (1) can be obtained by calculating D ′ (1,2) * D ′ (2,2).

  Using these R ′ (1) and R ′ (2), S (1) and S (2) are obtained.

D '(2,1) * R' (1) = (S (1) * R '(1)) * R' (1)
= S (1) * (R '(1) * R' (1))
= S (1) * 0
= S (1)
Therefore, S (1) can be obtained by calculating D ′ (2,1) * R ′ (1).

Similarly,
D '(1,2) * R' (2) = (S (2) * R '(2)) * R' (2)
= S (2) * (R '(2) * R' (2))
= S (2) * 0
= S (2)
Therefore, S (2) can be obtained by calculating D '(1,2) * R' (2).

In general, let j be an odd number
D '(1, j) * D' (2, j) = (S (j) * R '(j) * R' (j + 1)) * (S (j) * R '(j))
= (S (j) * S (j)) * (R '(j) * R' (j)) * R '(j + 1)
= 0 * 0 * R '(j + 1)
= R '(j + 1)
Therefore, R ′ (j + 1) can be obtained by calculating D ′ (1, j) * D ′ (2, j).

Similarly,
D '(1, j + 1) * D' (2, j + 1) = (S (j + 1) * R '(j + 1)) * (S (j + 1) * R' (j) * R '(j + 1))
= (S (j + 1) * S (j + 1)) * (R '(j + 1) * R' (j + 1)) * R '(j)
= 0 * 0 * R '(j)
= R '(j)
Therefore, R ′ (j) can be obtained by calculating D ′ (1, j + 1) * D ′ (2, j + 1).

  Using these R ′ (j) and R ′ (j + 1), S (j) and S (j + 1) are obtained.

D '(2, j) * R' (j) = (S (j) * R '(j)) * R' (j)
= S (j) * (R '(j) * R' (j))
= S (j) * 0
= S (j)
Therefore, S (j) can be obtained by calculating D '(2, j) * R' (j).

Similarly,
D '(1, j + 1) * R' (j + 1) = (S (j + 1) * R '(j + 1)) * R' (j + 1)
= S (j + 1) * (R '(j + 1) * R' (j + 1))
= S (j + 1) * 0
= S (j + 1)
Therefore, S (j + 1) can be obtained by calculating D ′ (1, j + 1) * R ′ (j + 1).

  As described above, when the re-divided data is generated, among the three re-divided data without using all of the three re-divided data D ′ (1), D ′ (2), D ′ (3), As described above, the original data can be restored using the two subdivision data.

  Further, in this data re-division method, the data re-division process can be performed without restoring the original data once (the original data does not appear in a visible form), so that more secure data management becomes possible. .

(Operation)
Next, the operation of the access right management system 30 according to the present embodiment will be described with reference to FIG. Here, FIG. 13 is a sequence diagram showing data exchange between the terminals 3a and 3b and the access right management server 5 when the data authority of the data S is transferred from the former to the second party.

  First, when the user A has the access authority for the data S, the data S is transmitted from the terminal 3a of the user A to the access management server 5 (step S410). When transmitting the data S, a secure communication network 2a (for example, a LAN, an IP-VPN, a dedicated line, a telephone line, etc., not an open communication network 2b such as the Internet network) that prevents leakage of communication contents is used. In addition, instead of communication via the communication network 2a, for example, sending means such as mail may be used.

When the access right management server 5 receives the data S from the terminal 3a, the access right management server 5 generates a random number R of the former A, and uses the secret sharing method A described above to generate three data (divided data) D (1), D (2), D (3) is generated (steps S420 and S430). For example, specifically
D (1) = (S (1) * R (1) * R (2)) ‖ (S (2) * R (2))
D (2) = (S (1) * R (1)) ‖ (S (2) * R (1) * R (2))
D (3) = R (1) ‖R (2)
However, ‖ means a combination of a bit string and a bit string.

  Next, the access right management server 5 stores the divided data D (1) and D (2) in the storage servers 6a and 6b, respectively, and stores the divided data D (3) via the communication network 2 in the former terminal 3a. (Steps S440 and S450). Since the divided data D (3) is D (3) = R (1) ‖R (2) as described above, the transmission of the divided data D (3) is the same as the transmission of the random number R. It is.

  Upon receiving the divided data D (3) from the access right management server 5, the terminal 3a stores the divided data D (3) in the storage unit 31 (Step S460).

  With the above operation, the access right to the data S of the former is managed by the access right management server 5.

  Next, when Party A transfers the access authority for data S to Party B, the request for transferring the access right of data from Party A to Party B and the divided data D (3) are sent from the terminal 3a of Party A to the communication network 2. Via the access right management server 5 (step S510).

Upon receiving the access right transfer request from the terminal 3a to the second party and the divided data D (3) from the terminal 3a, the access right management server 5 generates a random number R ′ for the second party and generates the divided data D (1), D (2 ), D (3) using the secret sharing method A, three new data (subdivision data) D ′ (1), D ′ (2), D ′ (3) are generated (steps S520, S530). ). For example, specifically
D '(1) = (S (1) * R' (1) * R '(2)) ‖ (S (2) * R' (2))
D '(2) = (S (1) * R' (1)) ‖ (S (2) * R '(1) * R' (2))
D '(3) ＝ R' (1) ‖R '(2)
Next, the access right management server 5 stores the repartitioned data D ′ (1) and D ′ (2) in the storage servers 6a and 6b, respectively, and the repartitioned data D ′ (3) via the communication network 2. To the terminal 3b of the second party (steps S540 and S550). Note that, as described above, since the re-division data D ′ (3) is D ′ (3) = R ′ (1) 'R ′ (2), the transmission of the division data D ′ (3) is a random number. This is the same as the transmission of R ′.

  When the terminal 3b receives the re-division data D '(3) from the access right management server 5, the terminal 3b stores the re-division data D' (3) in the storage unit 31 (step S560).

  With the above operation, the access authority for the data S is transferred from Party A to Party B.

  Next, when B uses data S, a request to use data S and subdivision data D ′ (3) are transmitted from terminal 3b to access management server 5 via communication network 2 (step S610). .

  When the access right management server 5 receives the use request of the data S and the re-division data D ′ (3) from the terminal 3b, the re-division data D ′ (1), D ′ ( 2) is obtained, and the data S is decrypted by using the secret sharing method A from any two of these subdivision data D ′ (1), D ′ (2), and D ′ (3) (step S620).

  Next, the access right management server 5 transmits the decrypted data S to the user's terminal 3b via the secure communication network 2a or sending means (step S630).

  When the terminal 3b receives the data S from the access management server 5, the terminal 3b stores the data S in the storage unit 31 (step S640). As a result, the second party can use the data S at the terminal 3b.

  Therefore, the access right management system 30 according to the present embodiment includes the access right management server 5 that encrypts data using the secret sharing method A, and the terminals 3a and 3b. The data S of the user A of the assigning terminal 3a to which the access authority is transferred is generated by the secret sharing method A using the random number R of the user A, and a part of the divided data is the terminal 3a, and the rest is the access right. Managed by the management server 5. When the access right of the data S is transferred from the user A to the user B of the terminal 3b on the transfer side, the access right management server 5 re-uses the divided data from the divided data by the secret sharing method A using the random number R ′ of the user B. Even when the divided data is generated and a part of the re-divided data is managed by the terminal 3b and the rest is managed by the access right management server 5, the access authority of the data restricted by encryption is transferred to another person. , Data authority can be transferred without decryption, and sufficient security can be secured.

  In particular, the secret sharing method A in the present invention is a data division method that divides data into divided data of a desired number of divisions based on a desired processing unit bit length, and divides the data into processing unit bit lengths, A plurality of original partial data is generated, and a plurality of random partial data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the data corresponding to each of the plurality of original partial data. In addition, each divided partial data constituting each divided data is generated for each processing unit bit length by exclusive OR of the original partial data and the random number partial data to generate a desired number of divided data and the generated divided data The data can be restored from a predetermined number of divided data of the data, and a plurality of random number partial data having a processing unit bit length is generated from the newly generated random number, The repartitioned partial data is generated for each processing unit bit length by exclusive OR of the divided part data and the random number partial data, and the repartitioned data of the desired number of divisions is generated, and among the generated repartitioned data, Since data can be restored from a predetermined number of subdivision data, the data can be subdivided without restoring the data.

Thereby, user data can be managed more securely.
Note that the secret sharing method A in the present embodiment does not require multi-precision integer arithmetic processing including polynomial arithmetic, remainder arithmetic, etc., so even when processing a large amount of large volume data, it is easy and quick. The effect that division and restoration can be performed can be obtained.

It is a block diagram which shows schematic structure of the access right management system which concerns on the 1st Embodiment of this invention. It is a sequence diagram which shows operation | movement of the access right management system which concerns on the 1st Embodiment of this invention. It is a block diagram which shows schematic structure of the access right management system which concerns on the 2nd Embodiment of this invention. It is a sequence diagram which shows operation | movement of the access right management system which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows schematic structure of the access right management system which concerns on the 3rd Embodiment of this invention. It is a flowchart which shows the division | segmentation process in case the division | segmentation number n = 3 of the secret sharing method A. Each data and definition formula when 16-bit original data S is divided into three with a division number n = 3 based on the 8-bit processing unit bit length, and a calculation formula when restoring the original data from each divided partial data, etc. It is a table | surface which shows. It is a table | surface which shows the definition formula which produces | generates the division data, division | segmentation partial data, and each division | segmentation partial data in case division number n = 3. It is a flowchart which shows the general division | segmentation process when the division | segmentation number of the secret sharing method A is n and the process unit bit length is b. 12 is a table showing another example of definition data for generating divided data, divided partial data, and divided partial data when the number of divisions n = 3. It is a flowchart which shows the data re-division process of the secret sharing method A. Restore original data from each data, definition formula, and each divided partial data when re-dividing original data S with the number of divisions n = 3 based on the processing unit bit length that is half the length of the original data S by random number rewriting method It is a table | surface which shows the calculation formula in the case of doing. It is a sequence diagram which shows operation | movement of the access right management system which concerns on the 3rd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1a, 1b, 3a, 3b ... Terminal 2 ... Communication network 4, 5 ... Access right management server 6a, 6b ... Storage server 10, 20, 30 ... Access right management system 11, 31 ... Storage part 12 ... Data encryption part 13 ... Data decryption unit 14, 32 ... communication unit 41 ... encrypted data storage unit 42 ... key generation unit 43 ... data encryption unit 44 ... data decryption unit 45 ... communication unit

Claims (18)

An access right management system comprising a plurality of terminals for encrypting data using Vernam encryption, and managing access right transfer of the data between the terminals,
Means for encrypting the data with a first encryption key of the assigning terminal and generating first encrypted data in the assigning terminal having the data access authority;
Means for transmitting the first encrypted data from the assigning terminal to the assigning terminal that receives the data access authority;
Means for encrypting the first encrypted data with the second encryption key of the assigning terminal to generate second encrypted data in the assigning terminal;
Means for transmitting the second encrypted data from the transferee terminal to the transferee terminal;
Means for encrypting the second encrypted data with the first encryption key of the assigning terminal and generating third encrypted data in the assigning terminal;
Means for transmitting the third encrypted data from the assigning terminal to the assigning terminal;
Means for storing the third encrypted data in the predetermined storage unit as the data for which the access right has been transferred in the transfer-side terminal;
An access right management system comprising:   The access right according to claim 1, further comprising means for decrypting the third encrypted data stored in the storage unit with the second encryption key and generating the data in the assigning terminal. Management system. An access right management device capable of mutual communication with a plurality of terminals, and managing transfer of data access rights between the terminals using Vernam encryption,
Means for generating a first encryption key of the assigning terminal having access authority for the data, encrypting the data with the first encryption key, and generating first encryption data;
Means for storing the first encrypted data in a predetermined storage unit as data to which the transfer side terminal has access authority;
Means for transmitting the first encryption key to the assigning terminal;
Means for receiving the first encryption key from the transfer side terminal when transferring the data access authority;
A second encryption key of the transferee terminal that receives the data access authority is generated, and the first encryption data stored in the storage unit is generated using the received first encryption key and the generated second encryption key. Means for encrypting and generating second encrypted data;
Means for storing the second encrypted data in the storage unit as data to which the transferee terminal has access authority;
Means for transmitting the second encryption key to the transferring terminal;
An access right management apparatus comprising: Means for receiving the second encryption key from the assigning terminal when the data is used;
Means for decrypting the second encrypted data stored in the storage unit with the received second encryption key, and generating the data;
4. The access right management apparatus according to claim 3, further comprising: An access right management device that can communicate with a plurality of terminals and manages transfer of data access rights between the terminals using a secret sharing method,
The secret sharing method is:
A data division method for dividing the data into a desired number of divided data based on a desired processing unit bit length, dividing the data into processing unit bit lengths to generate a plurality of original partial data, Corresponding to each of the plurality of original partial data, a plurality of random number partial data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the data, and each divided data Generate the divided partial data for each processing unit bit length by exclusive OR of the original partial data and the random number partial data, and generate the divided data of the desired number of divisions,
Generate a plurality of random part data of processing unit bit length from the newly generated random number, and generate re-partitioned partial data for each processing unit bit length by exclusive OR of the respective divided part data and the random part data A data division method for generating the desired number of subdivision data,
Means for generating a first random number of the assigning terminal having access authority for the data, and generating a plurality of divided data from the first random number and the data using the secret sharing method;
Means for transmitting a part of the plurality of divided data to the transfer side terminal;
Means for storing the remainder of the plurality of divided data in a predetermined storage unit as data to which the transfer side terminal has access authority;
When transferring the access authority of the data, means for receiving a part of the divided data from the transfer side terminal;
Generating a second random number of the transferee terminal to which the access authority of the data is transferred, and generating the secret sharing method based on the second random number, a part of the received divided data and the remainder of the divided data stored in the storage unit Means for generating a plurality of subdivision data using
Means for transmitting a part of the plurality of subdivision data to the terminal on the transfer side;
Means for storing the remainder of the plurality of subdivision data in the storage unit as data to which the assigning terminal has access authority;
An access right management apparatus comprising: When the data is used, means for receiving a part of the subdivision data from the transferee terminal;
Of the part of the received re-division data and the rest of the re-division data stored in the storage unit, the data is restored using the secret sharing method from a combination of a predetermined number of re-division data that can be restored Means,
6. The access right management apparatus according to claim 5, further comprising:   The secret sharing method uses each repartitioned partial data according to a definition formula of each repartitioned partial data obtained by replacing the random number partial data in the definitional expression of each divided part data with new random number partial data corresponding to the random number partial data. 7. The access right management apparatus according to claim 5 or 6, characterized in that An access right management method for managing access right transfer of the data between the terminals of an access right management system comprising a plurality of terminals for encrypting data using Vernam encryption,
In the assigning terminal having the data access authority, encrypting the data with the first encryption key of the assigning terminal to generate first encrypted data;
Transmitting the first encrypted data from the assigning terminal to the assigning terminal that receives the access authority of the data;
In the assigning terminal, encrypting the first encrypted data with a second encryption key of the assigning terminal to generate second encrypted data;
Transmitting the second encrypted data from the transferee terminal to the transferee terminal;
In the assigning terminal, encrypting the second encrypted data with the first encryption key of the assigning terminal to generate third encrypted data;
Transmitting the third encrypted data from the assigning terminal to the assigning terminal;
In the transferee terminal, storing the third encrypted data in a predetermined storage unit as data transferred access authority;
An access right management method comprising: An access right management device capable of mutual communication with a plurality of terminals is an access right management method for managing transfer of data access rights between the terminals using Vernam encryption,
Generating a first encryption key of the assigning terminal having access authority to the data, encrypting the data with the first encryption key, and generating first encrypted data;
Storing the first encrypted data in a predetermined storage unit as data to which the transfer side terminal has access authority;
Transmitting the first encryption key to the transferring terminal;
When transferring the access authority of the data, receiving the first encryption key from the transferring terminal;
A second encryption key of the transferee terminal that receives the data access authority is generated, and the first encryption data stored in the storage unit is generated using the received first encryption key and the generated second encryption key. Encrypting and generating second encrypted data; and
Storing the second encrypted data in a predetermined storage unit as data to which the transferee terminal has access authority;
Transmitting the second encryption key to the transferring terminal;
An access right management method comprising: An access right management apparatus capable of mutual communication with a plurality of terminals is an access right management method for managing transfer of access authority of data between the terminals using a secret sharing method,
The secret sharing method is:
A data division method for dividing the data into a desired number of divided data based on a desired processing unit bit length, dividing the data into processing unit bit lengths to generate a plurality of original partial data, Corresponding to each of the plurality of original partial data, a plurality of random number partial data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the data, and each divided data Generate the divided partial data for each processing unit bit length by exclusive OR of the original partial data and the random number partial data, and generate the divided data of the desired number of divisions,
Generate a plurality of random part data of processing unit bit length from the newly generated random number, and generate re-partitioned partial data for each processing unit bit length by exclusive OR of the respective divided part data and the random part data A data division method for generating the desired number of subdivision data,
Generating a first random number of the assigning terminal having the data access authority, and generating a plurality of divided data using the secret sharing method from the first random number and the data;
Transmitting a part of the plurality of divided data to the transfer-side terminal;
Storing the remainder of the plurality of divided data in a predetermined storage unit as data to which the transfer side terminal has access authority;
When transferring the access authority of the data, receiving a part of the divided data from the transfer side terminal;
Generating a second random number of the transferee terminal to which the access authority of the data is transferred, and generating the secret sharing method from the second random number, a part of the received divided data and the remainder of the divided data stored in the storage unit Generating a plurality of subdivision data using:
Transmitting a part of the plurality of subdivision data to the terminal on the transfer side;
Storing the remainder of the plurality of repartitioned data in the storage unit as data to which the transferee terminal has access authority;
An access right management method comprising: A terminal program for an access right management system comprising a plurality of terminals for encrypting data using a Burnham cipher, and managing access right transfer of the data between the terminals,
To the transferring terminal that has the authority to access the data,
Encrypting the data with a first encryption key of the assigning terminal to generate first encrypted data;
Transmitting the first encrypted data to an assignee terminal that receives the data access authority;
Receiving the second encrypted data generated by encrypting with the second encryption key of the assigning terminal from the assigning terminal;
Encrypting the second encrypted data with the first encryption key to generate third encrypted data;
Transmitting the third encrypted data to the transferee terminal as access right transfer data;
A terminal program characterized by causing A terminal program for an access right management system comprising a plurality of terminals for encrypting data using a Burnham cipher, and managing access right transfer of the data between the terminals,
To the transferee terminal that receives the data access authority,
Encrypting the data with the first encryption key of the assigning terminal from the assigning terminal having the data access authority, and receiving the generated first encrypted data;
Encrypting the first encrypted data with a second encryption key of the assigning terminal to generate second encrypted data;
Transmitting the second encrypted data to the transfer side terminal;
Encrypting the second encrypted data with the first encryption key and receiving the generated third encrypted data from the assigning terminal;
Storing the third encrypted data in a predetermined storage unit as data that has been given access authority;
A terminal program characterized by causing   13. The terminal device according to claim 12, wherein the third encryption data stored in the storage unit is decrypted with the second encryption key, and the step of generating the data is executed by the assigning terminal. program. A computer-readable access right management program capable of mutual communication with a plurality of terminals and managing transfer of data access rights between the terminals using Vernam encryption,
Generating a first encryption key of the assigning terminal having access authority to the data, encrypting the data with the first encryption key, and generating first encrypted data;
Storing the first encrypted data in a predetermined storage unit as data to which the transfer side terminal has access authority;
Transmitting the first encryption key to the transferring terminal;
When transferring the access authority of the data, receiving the first encryption key from the transferring terminal;
A second encryption key of the transferee terminal that receives the data access authority is generated, and the first encryption data stored in the storage unit is generated using the received first encryption key and the generated second encryption key. Encrypting and generating second encrypted data; and
Storing the second encrypted data in a predetermined storage unit as data to which the transferee terminal has access authority;
Transmitting the second encryption key to the transferring terminal;
Is executed by the computer. When the data is used, receiving the second encryption key from the assigning terminal;
Decrypting the second encrypted data stored in the storage unit with the received second encryption key, and generating the data;
15. The access right management program according to claim 14, wherein the computer is executed. A computer-readable access right management program that can communicate with a plurality of terminals and manages the transfer of data access rights between the terminals using a secret sharing method,
The secret sharing method is:
A data division method for dividing the data into a desired number of divided data based on a desired processing unit bit length, dividing the data into processing unit bit lengths to generate a plurality of original partial data, Corresponding to each of the plurality of original partial data, a plurality of random number partial data having a processing unit bit length is generated from a random number having a length equal to or shorter than the bit length of the data, and each divided data Generate the divided partial data for each processing unit bit length by exclusive OR of the original partial data and the random number partial data, and generate the divided data of the desired number of divisions,
Generate a plurality of random part data of processing unit bit length from the newly generated random number, and generate re-partitioned partial data for each processing unit bit length by exclusive OR of the respective divided part data and the random part data A data division method for generating the desired number of subdivision data,
Generating a first random number of the assigning terminal having the data access authority, and generating a plurality of divided data using the secret sharing method from the first random number and the data;
Transmitting a part of the plurality of divided data to the transfer-side terminal;
Storing the remainder of the plurality of divided data in a predetermined storage unit as data to which the transfer side terminal has access authority;
When transferring the access authority of the data, receiving a part of the divided data from the transfer side terminal;
Generating a second random number of the transferee terminal to which the access authority of the data is transferred, and generating the secret sharing method from the second random number, a part of the received divided data and the remainder of the divided data stored in the storage unit Generating a plurality of subdivision data using:
Transmitting a part of the plurality of subdivision data to the terminal on the transfer side;
Storing the remainder of the plurality of repartitioned data in the storage unit as data to which the transferee terminal has access authority;
Is executed by the computer. When the data is used, receiving a part of the subdivision data from the assigning terminal;
Of the part of the received re-division data and the rest of the re-division data stored in the storage unit, the data is restored using the secret sharing method from a combination of a predetermined number of re-division data that can be restored Steps,
The access right management program according to claim 16, wherein the computer is executed. The secret sharing method uses each repartitioned partial data according to a definition formula of each repartitioned partial data obtained by replacing the random number partial data in the definitional expression of each divided part data with new random number partial data corresponding to the random number partial data. 18. The access right management program according to claim 16 or 17, characterized in that:

Images