JP2008250931A - System for restoring distributed information, information utilizing device, and verification device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent tracking by a malicious subject while entrusting restoration processing to a restoring device. <P>SOLUTION: A distributed information management device 2 stores each of the n-number of distributed information generated from secret information to be kept secret using a (k, n) threshold secret sharing scheme. An information utilizing device 1 generates and stores the n-number of random numbers, and makes an information restoration request including a distributed information identifier for uniquely identifying the requested distributed information, and the respective random numbers. A distributed information management device 2 conceals the distributed information by the random numbers and transmits it to a restoring device 3. Upon receiving the k-number of concealed distributed information, the restoring device 3 performs restoration processing of the (k, n) threshold secret sharing scheme to restore the concealed secret information. The information utilizing device obtains the secret information by decoding the restored concealed secret information using the random numbers. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a distributed information restoration system, an information utilization device, and a verification device for restoring shared information distributed by the (k, N) threshold secret sharing method.

  Conventionally, there is a technique called (k, N) threshold secret sharing method (k and N are integers, and k ≦ N). This technique includes a secret sharing algorithm (hereinafter referred to as distributed algorithm) that generates N different data (hereinafter referred to as distributed information) having the same bit length from input l-bit information (hereinafter referred to as secret information), It consists of a secret recovery algorithm (hereinafter referred to as a recovery algorithm) that recovers secret information before distribution from arbitrary k pieces of N pieces of distributed information. Since no information related to secret information can be obtained from K-1 or less shared information, secret information generated by centrally managing secret information in one place by managing distributed information distributed among multiple entities. The risk of information leakage can be reduced.

  As a secret sharing method, the secret sharing method proposed by Shamir is typical, but there is an XOR threshold method configured by using exclusive OR. The XOR threshold method proposed so far can achieve only the (2, N) threshold method when N is arbitrary, but the decoding process is much faster and lower than the Shamir method. This is a threshold secret sharing method that can be expected to be used in secret sharing application systems because it is a load and there are many cases where k = 2 in the application to an actual application system.

  As a system using this (k, N) threshold secret sharing, use multiple distributed information management devices that store shared information, and collect and share k or more shared information, then restore and verify the secret information Consider a distributed information restoration system composed of information utilization devices. Then, by introducing a restoration device that performs restoration processing, the information usage device obtains the shared information at least k times and verifies the validity (including the communication load) and the processing load for restoring the shared information Think about reducing. In this case, there is a problem that secret information restored by the restoration device is known. This problem can be dealt with by distributing the confidential information after performing confidential processing such as encryption with random numbers, etc., but the confidential information itself, the confidential information, the distributed information of these two information, the confidential secret An attack using identification information such as a random number for decrypting information (hereinafter referred to as tracking) is a threat. Tracking refers to the number of times the same secret information is restored by the restoration device or a malicious attacker who obtains this identification information and uses it as the identification information of the information utilization device. It is an attack to grasp. This attack can be dealt with by recalculating the shared information from the secret information transformed by a process such as giving a different random number each time, and periodically replacing the shared information held by the distributed information management device. In the first place, problems such as being traced remain, and in some cases, the cost of replacing the distributed information is not applicable depending on the application. As a way to avoid this problem, instead of encrypting and then distributing the secret information, the distributed information is encrypted with a different random number each time, and the encrypted shared information (hereinafter referred to as confidential shared information) is obtained. There is a method of decoding the data and returning it to the shared information, and then performing a restoration process, and there are systems that implement this.

  As a specific example, there is a distributed attribute authentication system described in Non-Patent Document 1. In this system, secret information corresponds to attribute information such as age and sex, and distributed information corresponds to information in which attribute information is distributed. The shared information management device issues an electronic certificate that guarantees the validity of the shared information, and the information utilization device verifies a plurality of certificates and then restores the attribute information from the shared information to confirm the attribute. That is, attribute authentication is performed based on the validity of the electronic certificate of the distributed information. Even if it is a distributed information management device due to the characteristics of secret sharing, the original attribute information cannot be restored unless it is collaborated, and it is an attribute certification method that is conscious of privacy protection and has the feature of being resistant to information leakage from the distributed information management device is there. In this application, since there is a service in which the distributed information management device relies on the validity of the certificate of the distributed information proved by itself, the validity check when registering the distributed information is strictly performed. It is possible to replace the distributed information once confirmed and saved, and it is necessary to be cautious because of the cost. In addition, the tracking of information by this application means the number of times, frequency, and timing of the attribute that the information using apparatus presents the same attribute, which leads to a privacy protection problem. For these reasons, this system adopts the above-mentioned method to conceal shared information with random numbers to generate secret shared information, decrypts it, and then restores it to prevent tracking and protect privacy To do.

However, when the purpose is not only to avoid the tracking problem but also to solve the problem of the processing load of the information utilization apparatus, this method cannot reduce the processing load of the information utilization apparatus. In particular, it is difficult to apply to a service that performs attribute certification (such as age certification at the time of purchase of cigarettes) in a mobile environment assuming a terminal with low computing ability such as a mobile phone as an information utilization device.
Kamiyama, Kiyoto, Shikata, Matsumoto, Basic Study on Distributed Attribute Authentication (3), 2006 Computer Security Symposium, pp.477-482.

As described above, in the distributed information restoration system, it has been difficult to achieve both the commissioning of processing for reducing the load on the information utilization device and the avoidance of tracking.

  The present invention has been made in view of the above problems, and a distributed information restoration system, information utilization apparatus, and verification apparatus that can prevent tracking by a malicious subject while entrusting restoration processing to a restoration apparatus. The purpose is to provide.

  The present invention uses (k, n) threshold secret sharing method to store each of n pieces of shared information generated from secret information to be kept secret, n shared information management devices, restoration devices, An information use apparatus for obtaining secret information is a distributed information restoration system connected via a network, and the information use apparatus generates n random numbers having the same bit length as the bit length of the shared information. Generating means, acquisition means for acquiring a shared information identifier for uniquely identifying shared information stored in the shared information management apparatus, storage means for storing each random number and each shared information identifier in association with each other, Transmission means for transmitting an information restoration request including the shared information identifier and one of the random numbers to at least k of the shared information management device, and each of the shared information management devices includes the information restoration request. When the original request is received, the shared information acquisition means for acquiring the shared information corresponding to the shared information identifier included in the information recovery request, and the acquired shared information is concealed by the random number included in the information recovery request. Secret sharing information generating means for generating secret sharing information and secret sharing information transmitting means for transmitting the generated secret sharing information to the restoring device, wherein the restoring device stores k pieces of the secret sharing information. Upon reception, a secret sharing information restoring means for restoring secret secret information by performing restoration processing of the (k, n) threshold secret sharing method, and secret secret information transmission for sending the restored secret information to the information utilization device And the information using device decrypts the transmitted secret information using the random number stored in the storage unit to obtain the secret information.

  In addition, the present invention provides an n number of shared information management devices that store each of n number of shared information generated from secret information that is to be kept secret using the (k, n) threshold secret sharing method, a restoration device, A distribution in which an information utilization device that makes a request to obtain the secret information to obtain service provision and a verification device that confirms the secret information to provide the service are connected via a network In the information restoration system, the verification device includes verification information generation means for generating verification information, the information utilization device includes verification information acquisition means for obtaining the verification information from the verification device, and bits of the distributed information Generating means for generating n random numbers having the same bit length as the length, shared information identifier acquiring means for acquiring a shared information identifier for uniquely identifying the shared information stored in the shared information management device, and Storage means for associating and storing each random number and each shared information identifier; and at least k information restoration requests including the verification information, the shared information identifier, and one of the random numbers. Each of the shared information management devices receives the information restoration request, and obtains the shared information corresponding to the shared information identifier included in the information restoration request. And concealing the acquired shared information with the random number included in the information restoration request to generate confidential shared information, and the generated shared shared information together with the verification information to the restoration device A secret sharing information transmitting means for transmitting, and when the restoration device receives k pieces of the secret sharing information, the restoring device performs a restoration process of a (k, n) threshold secret sharing method, A secret sharing information restoring unit that restores secret secret information, and a secret secret information transmitting unit that transmits the restored secret information together with the verification information to the information using device, the information using device being transmitted The secret information, the verification information, and the decryption information based on the random number stored in the storage unit are transmitted to the verification device, and the verification device confirms the transmitted verification information and then the secret information. Secret information is decrypted using the decryption information to obtain secret information.

  In addition, the present invention provides (n) shared information management apparatus that stores each of n shared information generated from secret information to be kept secret using the (2, n) threshold secret sharing method, a restoration apparatus, An information utilization apparatus connected via a network for obtaining the secret information, wherein the generation means for generating n random numbers having the same bit length as the distributed information, and the distributed information management apparatus An acquisition means for uniquely acquiring the shared information identifier for storing the shared information to be stored; a storage means for storing the random numbers in association with the shared information identifiers; and the shared information identifier and one of the random numbers. An exclusive argument between the transmission means for transmitting the information restoration request including the information to at least two of the shared information management devices, the shared information stored in the shared information management device, and the random number included in the information restoration request. A receiving means for receiving the secret information restored by the restoration device from the at least two secret sharing information that has been logically calculated, and decrypting the received secret information using the random number stored in the storage means, And a decoding means for obtaining.

  In addition, the present invention provides (n) shared information management apparatus that stores each of n shared information generated from secret information to be kept secret using the (2, n) threshold secret sharing method, a restoration apparatus, An information utilization device that presents the secret information and receives a specific service; and a verification device that is connected via a network and receives the secret information and provides the specific service, from the information utilization device Upon receiving a request to receive the specific service, a verification information generating unit that generates verification information, a transmission unit that transmits the generated verification information to the information utilization device, and an information restoration request that includes verification information are obtained. Restored by the restoration device from at least two pieces of secret sharing information obtained by performing an exclusive OR operation on the shared information stored in the shared information management device and the random number generated by the information utilization device. Receiving the secret information, the verification information provided in addition to the secret information, the receiving means for receiving the decryption information based on the random number, and confirming the transmitted verification information, the secret information is Secret information acquisition means for decrypting using the decryption information to obtain secret information is provided.

  According to the present invention, the restoration device processes shared information (secret sharing information) that is concealed with a different random number each time, and the restoration processing result is also concealment secret information concealed with a random number. Therefore, the information utilization apparatus can decrypt the secret information from the confidential secret information output from the restoration apparatus while keeping the secret information secret from the restoration apparatus. Therefore, the restoration process can be outsourced to reduce the processing load. Furthermore, in the past, it was necessary for the information utilization device to receive and verify k pieces of shared information and then decrypt it, but in the invention, it is only necessary to receive one output data from the restoration device of the same size as the secret shared information. In addition, it is possible to reduce the number of times the secret sharing information is decrypted and the traffic.

  Embodiments of the present invention will be described below with reference to the drawings.

First, the first embodiment will be described. FIG. 1 shows the entire distributed information restoration system to which the present embodiment is applied, and FIG. 2 shows a schematic flow of the distributed information restoration system.
The distributed information restoration system includes a plurality of information utilization apparatuses 1 and a plurality of information utilization apparatuses 1 that are communicably connected by TCP / IP or the like via various communication networks 4 such as an open communication network such as the Internet or a dedicated line connected thereto. 2 and 2 and a restoration device 3 are provided. In addition, the shared information generating apparatus 5 stores secret information (documents, images, moving images, encryption keys, etc.) that the user who uses the distributed information restoration system does not want to store in his / her own information using apparatus 1. 2... 2 are generated in order to be distributed and stored in two.

  The distributed information management devices 2... 2 are positions of a third party that can be trusted by the user, but there may be unintended information leakage and the like. Therefore, in the distributed registration process of the user's secret information, the shared information generation device 5 uses each of the n pieces of shared information generated from the input secret information by using the (k, n) secret sharing method for various communication. Distribution is performed directly or indirectly to the distributed information management apparatuses 2... 2 using the network 4 or using a recording medium. The shared information management devices 2 ... 2 store the distributed information distributed to itself in the own device. In this way, the correspondence between the user and the secret information cannot be taken unless there is a leakage of the number of pieces of shared information equal to or greater than the threshold necessary for restoration from the shared information management devices 2.

  The restoration device 3 trusts to correctly execute the secret sharing restoration algorithm, but may use the input / output to track a user who uses the information utilization device 1 or to obtain statistical information. Assume a subject. Therefore, in the process of acquiring the user's secret information, the information utilization apparatus 1 generates and stores at least k random numbers having the same length as each piece of shared information, and requests to acquire the secret information including each generated random number. Are transmitted to at least k distributed information management devices 2, respectively. Upon receiving the acquisition request, each shared information management device 2 transmits the secret shared information obtained by encrypting the shared information with a random number included in the acquisition request to the restoration device 3. The restoration device 3 obtains k pieces of secret sharing information from the distributed information management devices 2... 2 and restores the restored secret information by using the (k, n) secret sharing method restoration algorithm as it is. It transmits to the information utilization apparatus 1. The information utilization apparatus 1 can obtain the secret information by decrypting the secret information using a random number generated and stored at the time of the request. By doing so, the restoration device 3 other than the information use device 1 and the distributed information management device 2... 2 or an attacker can use the secret use secret information or the secret share information to use the information use device 1 (or use it). Can be tracked.

  According to the distributed information restoration system of the present embodiment as described above, since the restoration processing can be performed before the distributed information concealed with random numbers is decrypted, Secret information can be entrusted to the restoration device 3 while keeping it secret, and the processing load related to the restoration processing of the information use device 1 can be eliminated. Furthermore, the information utilization apparatus 1 only needs to receive one piece of secret shared information in reception in communication, and since it is no longer necessary to receive at least k pieces of shared information as in the existing case, the amount of communication can be reduced. .

  Even if the information utilization apparatus 1 is not only a mobile terminal whose IP address dynamically changes, but also a stationary computer that communicates with a fixed IP address, the IP address of each apparatus constituting the system is set as a proxy. By concealing with the existing anonymous communication technology known by a server, onion routing, etc., the information utilization apparatus 1 can transmit / receive data to / from the restoration apparatus 3 without worrying about the tracking problem using the network address as an identifier.

  Further, the communication from the information use device 1 to the distributed information management devices 2... 2 may be relayed by the restoration device 3. In this case, there is a risk of man-in-the-middle attacks by the restoration device 3. Appropriate secure channel between the use device 1 and the distributed information management device 2 ... 2 (communication channel in which the sender and the receiver authenticate each other and the confidentiality and integrity of the data flowing on the communication channel are ensured) It can be avoided by establishing communication and communicating. As an existing technique for establishing such a secure channel, for example, SSL (Secure Sockets Layer) is well known. When the information use device 1 connects to the distributed information management devices 2... 2 under the relay of the restoration device 3, the SSL server authentication mode using the public key certificate of the distributed information management devices 2. The above-described secure channel can be established by a combination with authentication of the information use device 1 by the management device 2... 2 or by the SSL mutual authentication mode in which the information use device 1 and the distributed information management device 2. .

  Next, an example in which the above embodiment is further embodied will be described below.

  In this example, the secret information distributed registration process generates n pieces of shared information from each of the secret information from the user by the (k, n) threshold distribution algorithm, and n pieces of shared information on the distributed information restoration system. Each of the management devices 2 ... 2 is distributed and stored and managed.

  FIG. 3 shows a functional block diagram of the shared information generating device 5.

  The secret information input unit 501 accepts d × (n−1) bits of secret information K (sid) input according to an instruction from the user. Note that sid is an identifier for identifying one of a plurality of pieces of secret information from the user.

  The secret information distribution unit 502 converts the secret information K (sid) from the secret information input unit 501 into n pieces of size d × (n−1) bits by a secret distribution method using the (2, n) XOR threshold method. The shared information S (sid, i) is generated. Note that i is an identifier for identifying each of the distributed information management devices 2... 2 and is a positive integer from 0 to n−1. Here, the detailed algorithm of the secret sharing method of the (2, n) XOR threshold method is described in the well-known document “Structure method of fast (2, n) threshold method and application to system, 2005 Computer Security Symposium, pp. 631-636. (Fujii, Tada, Hosaka, Tochikubo, Kato) ”may be used, and the description is omitted here.

  The secret information sharing unit 502 outputs the generated n pieces of shared information S (sid, i) to the output unit 505.

  In parallel with the operation of the secret information sharing unit 502, the shared information identifier generation unit 503 distributes the shared information S (sid, i) to the shared information management devices 2 ... 2 after distributing the shared information S (sid, i). A distributed information identifier DID (sid, i) for specifying is generated and output to the output unit 505.

  The connection destination information management unit 504 stores in advance the connection destination addresses, port numbers, and the like of each of the distributed information management devices 2... In parallel, they are output to the output unit 505. Further, when the distributed information management device 2... 2 authenticates the information use device 1, the connection destination information management unit 504 requires the authentication information (user ID, password, public key method authentication). Various authentication information, etc.) are stored in advance, and are output to the output unit 505 in parallel with the operation of the secret information distribution unit 502.

  The output unit 505 distributes the various types of information that have been output to appropriate devices as described below.

  Each of the n pieces of distributed information S (sid, i) is distributed to the distributed information management device 2 corresponding to the identifier i.

  Each of the n distributed information identifiers DID (sid, i) is distributed to the distributed information management device 2 corresponding to the identifier i. Further, all of the n distributed information identifiers DID (sid, i) are distributed to the information utilization apparatus 1.

The connection destination address and the port number are distributed to the information use apparatus 1. Further, when the distributed information management device 2... 2 authenticates the information use device 1, authentication information such as a user ID and a password is distributed to the information use device 1 and each distributed information management device 2. The Although not specifically shown here, when the system parameter K0ε {0,1} ^d by the (2, n) XOR threshold method is used at the time of restoration, it is distributed to the restoration device 3.

  In distributing each piece of information, it is distributed using a secure communication path, or distributed using a document under secure management and input by an operator or the like at each distributed information management device 2. This can be done.

  Various information distributed as described above is registered and stored in the following tables in each device.

  The information utilization apparatus 1 includes the distributed information identifier table 102 in FIG. 4 and the connection destination information table 103 in FIG.

  The shared information identifier table 102 stores n shared information identifiers DID (sid, i) in association with the secret information identifier sid. Further, since it is effective when selecting / deciding the secret information to be restored, supplementary information (comment column) such as what kind of information the secret information K (sid) pointed to by the identifier sid is stored in association with the sid. To do.

  The connection destination information table 103 includes an identifier (0 to n-1) of each distributed information management device 2 and a name indicating the restoration device 3 in order to communicate with each device during secret information acquisition processing described later. These connection destination addresses and port numbers are stored in association with each other. Further, here, since the distributed information management device 2 may authenticate the information use device 1, authentication information is stored.

  Next, each shared information management device 2... 2 includes a connection source information table 201 in FIG. 6 and a shared information table 202 in FIG.

  Each of the distributed information management devices 2 ... 2 should be able to construct a system similar to other information utilization devices other than the information utilization device 1 of the present embodiment. Therefore, the connection source information table 201 stores a device identification ID such as an information use device or a restoration device in association with the authentication information. Although not shown, when the restoration device 3 relays communication between the information utilization device 1 and the distributed information management device 2, an IP address, a port number, and the like may be stored.

  The shared information table 202 stores the shared information identifier DID (sid, i) and the shared information S (sid, i) in association with each other.

  By storing the information in each table of each device as described above, the secret information distributed registration process is completed.

  Next, the operations of the information use device 1, the distributed information management device 2, and the restoration device 3 will be described with respect to the process at the time of obtaining the user's secret information. 8, 9, and 10 show functional blocks of the information use device 1, the distributed information management device 2, and the restoration device 3, respectively. 11, 12, and 13 are flowcharts showing processing procedures of the information use device 1, the restoration device 3, and the distributed information management device 2, respectively.

  When the user specifies the secret information to be acquired by the information use apparatus 1, the information restoration request unit 104 refers to the distributed information identifier table 102 and acquires the secret information identifier sid corresponding to the specified secret information (A101). Next, a restoration request session identifier session_id for identifying a session for making an information restoration request is determined (A102). Next, the shared information identifier acquisition unit 105 acquires the shared information identifier DID (sid, i) corresponding to each shared information management apparatus (identifier i) from the shared information identifier table 102 (A103).

  Next, the random number generation unit 106 generates a d-bit random number M (sid, i) corresponding to the shared information S (sid, i) and having the same bit size as the shared information S (sid, i) (A104 ) N pieces of shared information are generated and stored in the secret random number table 101 together with the restoration request session identifier (A105). Any known technique may be used for the random number generation algorithm. If the generated random numbers M (sid, i) have the same data, there may be a problem with the security of this method, so that it may be checked that the generated random numbers are different.

  The secret random number table 101 is shown in FIG. The secret random number table 101 stores a random number M (sid, i) of length d × n bits corresponding to n pieces of shared information S (sid, i) in which secret information K (sid) is distributed, as a restoration request session. Store in association with the identifier session_id. In addition, a column for storing auxiliary information for identifying a restoration request session such as a start time and a state may be provided.

  Next, the information restoration request unit 104 obtains a restoration request session identifier session id, a shared information identifier DID (sid, i), and a secret random number M (sid, i) corresponding to each shared information management device 2. An information restoration request including the information is generated, relayed through the restoration device 3, and transmitted to each of the distributed information management devices 2 ... 2 (A106).

  Here, the restoration request may be transmitted to n distributed information management devices at a time, but is transmitted to a smaller number of devices, and if there is no response equal to or greater than the threshold value k, information is transmitted to other distributed information management devices 2 as needed. A restoration request may be transmitted. However, in this case, it is necessary to communicate at any time between the information utilization apparatus 1 and the restoration apparatus 3 to grasp the number of responses obtained so far. At this time, since a secure channel is established with the distributed information management device 2 using authentication information in the connection destination information table 103, the restoration device 3 that relays communication is included in the restoration request. It's safe because I don't know the information. As the restoration request session identifier, a communication session identifier such as a four-piece transmission / reception address and port number in TCP / IP when an information restoration request is made may be used. There is a problem that the correspondence between the restoration request session identifier and the secret information returned from the restoration device 3 becomes unclear when the communication session must be used or the communication session is interrupted for some reason. . In that case, the restoration request session identifier may be issued separately from the communication session identifier. As a specific example of the restoration request session identifier, a random number (for example, a 32-bit or 64-bit random number) collected from a sufficiently large space that is difficult to guess brute force can be considered. It is also possible to remember only the secret random number by creating a secret random number already created by using a hash function as an argument. In this case, the distributed information management device 2 receives the restoration request session identifier from the information use device 1 through the secure channel. Then, when the shared information management device 2 transmits the secret sharing information to the restoration device 3, the restoration request session identifier is included in the secret session information and notified, and the restoration device 3 notifies the information utilization device 1 of the restoration request session identifier. An information restoration request session is identified by transmitting it to the information using apparatus 1 by including it in the restoration session information. Although the distributed information management device 2 notifies the restoration device 3 here, the information use device 1 may separately notify the restoration device 3 of the restoration request session identifier.

  As described above, the information utilization apparatus 1 transmits an information restoration request to the distributed information management apparatus 2 via the restoration apparatus 3.

  Next, the restoration device 3 receives the information restoration request from the information utilization device 1 by the receiving unit 301 (B101), and the relay unit 302 sends the information restoration request to the distributed information management device 2 designated by each information restoration request. Is relayed (B102). In the present embodiment, the restoration device 3 relays communication between the information use device 1 and the distributed information management device 2. However, the information use device 1 and the distributed information management device 2 communicate directly, and the distributed information management device 2. May send the processing result and the reception address of the information utilization device 1 together to the restoration device 3, and the restoration device 3 may send the restoration processing result based on the received address. At this time, if the proxy server or the anonymous communication technique is used as described above, the restoration device 3 cannot illegally track the reception address of the information use device 1.

  Next, the shared information management device 2 that is the destination of the information restoration request transmitted from the restoration device 3 receives the information restoration request at the receiving unit 203 (C101). In this example, since the connection request source at the network level is the restoration device 3, it is determined whether or not the information restoration request of the legitimate information utilization device 1 is relayed in order to ensure safety (C102). More specifically, the authentication information stored in the connection source information table 201 is used to authenticate the user (user) using the information utilization apparatus 1 and establish a secure channel. In this case, SSL or the like can be used as described above. Here, since mutual authentication is not performed between the information use device 1 and the restoration device 3, the restoration device 3 cannot track the information use device 1. Further, the distributed information management device 2 may record the identifier of the authenticated information use device 1 in a log or the like and store it as evidence.

The concealment processing unit 204 acquires the distributed information identifier DID (sid, i) from the information restoration request received by the receiving unit 203 (C103). Shared information S (sid, i) = {S (sid, i, j) | S (sid, i, j) ∈ {0, 1} from the shared information table 202 with the acquired shared information identifier DID (sid, i) ^d , 0 ≦ j ≦ n−2} (length d × (n−1) bits of shared information S (sid, i)) and d−1 bits of distributed information s (sid, i, j) ) Is acquired (C104).

Then, the random number M (sid, i) = {M (sid, i, j) | M (sid, i, j) ∈ {0, 1} ^d , 0 ≦ j ≦ n−2} included in the information restoration request Each element of (recognized in the same way as the shared information) and each element of the shared information S (sid, i) are subjected to an exclusive OR operation for each bit to generate the secret shared information C (sid, i) (C105 ). Note that the secret sharing information C (sid, i) is described in more detail by the following equation.

  Next, the transmission unit 205 transmits the secret session information including the restoration request session identifier and the secret sharing information C (sid, i) to the restoration device 3 (C106). Here, it is preferable to provide a secure channel mutually authenticated between the distributed information management device 2 and the restoration device 3 to prevent an attack by a third party and improve safety. Here, the distributed information management device 2 can improve the security of the system by giving an electronic signature to the secret sharing information of the secret session information. Further, by applying an electronic signature to the secret session information, the correspondence between the information restoration request session and the secret sharing information can be explicitly indicated, and a pair of the fake secret sharing information and the restoration request session identifier is transmitted to the restoration device 3 In addition to avoiding a service load attack such as restoration, the subject of information creation becomes clear and fraud by the distributed information management device 2 can be suppressed.

  Next, the restoring device 3 receives the secret session information transmitted from the shared information management device 2 by the receiving unit 301 (B103). As a result of waiting for a response from the distributed information management device 2, if a problem occurs such that secret session information exceeding the threshold cannot be obtained, the processing is terminated after error processing (B104) such as reporting to the information using device 1. In addition, if the electronic signature is given to the secret session information or the secret sharing information C (sid, i) included in the secret session information by the secret key of the distributed information management device 2, whether or not falsification is performed by verifying the digital signature. Is detected.

On the other hand, as a result of waiting for a response from the shared information management device 2, when the secret session information greater than the threshold is obtained, the restoration unit 304 includes the secret session information received from the shared information management device 2 greater than the threshold 2. Two arbitrary pairs are selected from the secret sharing information C (sid, i) to be stored, and the secret algorithm CK (sid) = {CK (sid, a) | CK (sid, a) ε {0, 1} ^d , 1 ≦ a ≦ n−1, aεZ} is obtained (B105). When this restoration algorithm is applied, the i and n values of the received secret sharing information C (sid, i) are required. These values are the secret sharing information C (sid, i) in the secret session information. It is transmitted from the distributed information management device 2 in the form of header information or the like. In addition, the processing is stopped at the stage where the secret sharing information corresponding to the threshold is gathered, and the processing load and the transfer waiting time are reduced, or conversely, more secret sharing information C (sid, i) than the threshold is received. In this case, a method of verifying that the restored secret information CK (sid) coincides with each other and improving accuracy can be considered.

  The restoration device 3 has a secret to which a restoration request session identifier and identifiers (here, m and l) of the shared information management device that is the transmission source of the two pieces of secret shared information used for restoration are added as headers. The restoration session information composed of the information is transmitted to the information utilization apparatus 1 (B106).

The information utilization device 1 waits for a response to the information restoration request from the restoration device 3 (A107), and when a problem is reported such that restoration cannot be performed because shared information of a threshold value or higher cannot be obtained from the restoration device 3, error processing (A108) ), The process is terminated. On the other hand, when the restoration request session information from the restoration device 3 can be received, the decryption data generation unit 109 stores the secret random number table 101 using the restoration request session identifier and the identifiers l and m of the distributed information management device as keys. By referring (generally as m> l here), the secret random numbers M (sid, l) and M (sid, m) are acquired, and the decryption data P (sid) = {P ( sid, a) | P (sid, a) ε {0, 1} ^d , 1 ≦ a ≦ n−1, aεZ} is generated (A109).

  First, r = m−1 mod n is calculated and divided into the following cases (the calculation here is performed using n as a modulus).

M (sid, l) = {M (sid, l, j) | M (sid, l, j) ∈ {0,1} ^d , 0 ≦ j ≦ n− obtained from the distributed information management device 2 with the identifier l 2} includes M (sid, l, l), the next k is incremented until the integer k (initial value is 0) satisfies l-kr = n-1 (k <n-2). Calculate as follows.

Also, M (sid, m) = {M (sid, m, j) | M (sid, l, j) ∈ {0,1} ^d , 0 ≦ j ≦ n obtained from the distributed information management device with identifier m -2} includes M (sid, m, m), it is calculated as follows while incrementing k from 0 until m-kr = n-1 (k <n-2) is satisfied.

  The decryption processing unit 110 of the information use apparatus 1 calculates P (sid) generated by the decryption data generation unit 109 and the received secret information CK (sid) by exclusive OR, and generates secret information K ( sid) is obtained (A110).

  According to the first embodiment, which has been described in detail above, the restoration device 3 can restore the secret shared information concealed from the distributed information concealed with a random number before decoding. The restoration process performed by the apparatus 1 can be entrusted to the restoration apparatus 3 while keeping the secret information secret, and the processing load related to the restoration process of the information utilization apparatus 1 can be eliminated. Furthermore, the information utilization apparatus 1 only needs to receive one piece of secret shared information in reception in communication, and since it is no longer necessary to receive at least k pieces of shared information as in the existing case, the amount of communication can be reduced. .

  Further, since the secret information is concealed with a different random number each time, it is possible to prevent tracking by a subject who can know the secret information.

  Next, a second embodiment will be described. In addition to the first embodiment, the second embodiment includes a verification device that verifies user confidential information and provides a service to the user. Hereinafter, it is assumed that the secret information is attribute information such as age and sex, and an attribute certification system using distributed attribute information will be described. However, the secret information in the present embodiment is not particularly limited to the attribute information, and can be applied to other applications that provide services by presenting guaranteed secret information to the restoration device.

  FIG. 15 shows the entire attribute certification system of the present embodiment, and FIG. 16 designates a schematic flow of this system.

  In this system, a verification device 6 exists in addition to the information utilization device 1 ′, the plurality of distributed information management devices 2 ′, and the restoration device 3 ′, and an open communication network such as the Internet, a dedicated line connected to the communication device, etc. Are connected to each other via various communication networks 4. Further, as in the first embodiment, there is a distributed information generation device 5.

  When the verification device 6 receives a service request from the information utilization device 1 ′, the verification device 6 generates verification information, supplies the verification information to the information utilization device 1 ′, and requests presentation of secret information. The verification device 6 confirms the validity of the provided secret information by using the hashed verification information provided from the information use device 1 ′, decrypts the secret information, and satisfies the service provision condition. Provides the requested service to the information utilization apparatus 1 ′.

  Next, an implementation example of the present embodiment will be described below. The process at the time of distributed registration of secret information in this embodiment may be the same as that in the first embodiment.

  On the other hand, the process at the time of acquisition of secret information according to the present embodiment is the same as the process at the time of acquisition of secret information according to the first embodiment in that a service request is first sent from the information use apparatus 1 ′ to the verification apparatus 6. The verification session identifier is received from the verification device 6, the verification session identifier is processed by the distributed information management device 2 ′, and the secret information received by the session information utilization device 1 ′ is not decrypted. The processed verification session identifier is added and transmitted to the verification apparatus 6, and a point to be decoded after verification is added in the verification apparatus 6.

  In this embodiment, the reliability required for the distributed information management device 2 'is the same as that in the first embodiment, but the reliability required for the restoration device 3' is different. In the first embodiment, only the user who is the secret information holder uses the restored information. However, in this embodiment, the secret information is provided to the verification device, and the secret information of the restoration device is transferred to the secret information. The verification apparatus 6 provides a service using the electronic signature as a trust base. Therefore, in the present embodiment, the restoration device 3 ′ is also required to have the same high reliability as the distributed information management device 2 ′.

  Communication between the verification device 6 and the information utilization device 1 ′ protects against attacks by a malicious third party on a communication path using SSL server authentication with the verification device 6 as a server. Here, since the verification device 6 only needs to verify the secret information of the information use device 1 ′, it is not necessary to authenticate the information use device 1 ′. It should be noted that the conditions relating to the network address of the apparatus, the conditions relating to the threshold method, the conditions relating to communication between the information utilization apparatus 1 ′, the restoration apparatus 3 ′, and the distributed information management apparatus 2 and the exchanges are as described in the first embodiment. It is the same as the form.

  Next, operations of the information use device 1 ′ and the verification device 6 will be described. FIGS. 17 and 18 show functional blocks of the information use device 1 ′ and the verification device 6, respectively, and FIGS. 19 and 20 are flowcharts showing processing procedures of the information use device 1 ′ and the verification device 6, respectively. .

  First, the service request unit 111 of the information utilization apparatus 1 'transmits a service request to the verification apparatus 6 (A1001).

  When the request verification unit 603 of the verification device 6 receives a service request from the reception unit 502 (D1001), the random number generation unit 604 generates a session identification random number that is data for generating a verification session identifier (D1002). Any known technique may be used for the random number algorithm and the bit length at this time.

  The request verification unit 603 generates a hash value of data obtained by concatenating the generated session identification random number and the identification information of the verification device itself as a verification session identifier (D1003).

  The request verification unit 603 stores the verification session identifier in the session storage table 601 (D1004). FIG. 21 shows the session storage table 501. As shown in the figure, in association with the verification session identifier, together with the type of secret information to be verified in the session according to the content of the service request and the information necessary for managing the session establishment resource (here, the expiration date) Store. The session establishment resource may be effectively used by periodically deleting old session identifiers.

  The request verification unit 603 transmits the session identification random number and the type and condition of the secret information requesting presentation to the information use apparatus 1 '(D1005), and waits for the secret use secret information from the information use apparatus 1'.

  The service request unit 111 of the information utilization apparatus 1 'generates a hash value of data obtained by concatenating the received session identification random number and the identifier of the verification apparatus 6 and uses it as a verification session identifier (A1003).

  The service request unit 111 makes an information restoration request for the secret information requested to be presented by the verification device 6 (A1004). At this time, in the first embodiment, the random number generated by the random number generation unit 106 is registered in the secret random number table 101. However, in this embodiment, the secret random number table in which the verification session identifier is also associated. Using 1001 (FIG. 22), the previously generated verification session identifier is also saved.

  Thereafter, with respect to the process (A1005) from when the information utilization apparatus 1 'receives the confidential secret information from the restoration apparatus 3' to obtain the secret information, the process is performed in substantially the same manner as in the first embodiment. However, the verification session identifier is included in the information restoration request, and the secret random number hash H (M (sid, i)) that is the hash value of the secret random number M (sid, i) received by each distributed information management device 2 ′. ), The verification session identifier and the secret random number hash are also included in the secret session information and transmitted as secret result data from the distributed information management device 2 ′ to the restoration device 3 ′, and from the restoration device 3 ′ to the information utilization device 2 ′. Includes a verification session identifier and a secret random number hash H (M (sid, i)) of the distributed information management device (l) and the distributed information management device (m) that provided the secret shared information used to generate the secret secret information. , H (M (sid, i)) is also included in the restoration session information and returned as restoration result data. The shared information management device 2 ′ does not generate a secret random number hash, but the information utilization device 1 ′ creates a secret random number hash, and the distributed information management device 2 ′ receives the hash value of the received secret random number and the secret random number hash. It is also possible to make a configuration in which it is confirmed that and match.

  In the present embodiment, correspondence between the secret information, the verification session identifier, the restoration request session identifier, and the secret random number hashes H (M (sid, l)) and H (M (sid, m)) is guaranteed. Since it is important for security, it is desirable that the restoration session information transmitted from the restoration device 3 ′ to the information using device 2 ′ is given an electronic signature using the private key of the restoration device 3 ′. In the following, the discussion proceeds on the assumption that the electronic signature of the restoration device 3 ′ has been applied, and restoration session information (secret secret information, verification session identifier, restoration request session identifier, secret random number hash H (M (sid, l)), H (M (sid, m)) and the electronic signature are referred to as a confidential secret information certificate, which may include other fields such as an expiration date and a comment. There is no need.

  The service request unit of the information utilization device 1 ′ includes a secret secret information certificate, secret random numbers M (sid, l) and M (sid, m) necessary for generating decryption data for decrypting the secret secret information, and Is transmitted to the verification device 6 (A1006).

  Upon receiving the information (D1006), the request verification unit 503 of the verification device 6 refers to the session storage table 501 and confirms that the verification session identifier is valid (D1008). If the secret secret information certificate cannot be received, error processing is performed (D1007), and the processing is terminated.

  The verification device 6 verifies the electronic signature of the confidential secret information certificate received by the signature verification unit 605 (D1009).

  The decrypted data generation unit 506 of the verification device 6 uses the received hash values of the secret random numbers M (sid, l) and M (sid, m) as secret random number hashes H (M (sid, l)) and H (M ( After confirming that it is equal to sid, m)), decryption data for decrypting the secret information is generated from the received secret random number (D1010). This process is the same as the operation flow A107 of the information utilization apparatus 1 according to the first embodiment. Here, it is conceivable that the information utilization apparatus 1 ′ uses the created decrypted data instead of the secret random number, but the malicious information user transmits the decryption data that generates a restoration result different from the original secret information. In this case, a secret random number is transmitted instead of the decryption data. Furthermore, since there is a possibility that the information utilization device 1 ′ may transmit the verification device 6 by replacing it with a secret random number that generates decryption data for generating different decryption results, the restoration device 3 ′ This is prevented by the electronic signature. Further, the verification device 6 obtains not only the secret shared information proof but also the secret shared information and the electronic signature of the distributed information management device 2 ′ corresponding thereto, and verifies the signature, restores the secret shared information, and the received confidential information. By confirming the coincidence with the secret information, the security of the system for the verification device 6 can be further improved. However, in this case, since the shared information held by the shared information management device 2 ′ can be restored from the secret sharing information and the secret random number, if there is information leakage from the sharing information management device 2 ′, the sharing information The problem that an individual and its attribute are associated with each other using information as a key occurs, and the characteristic of this method that is inherently resistant to leakage from k distributed information management devices 2 'is impaired. There is. Therefore, in this embodiment, the secret sharing information is not provided to the verification device 6.

  The decryption processing unit 607 of the verification device 6 decrypts the received secret information with the decryption data (D1011) and confirms the secret information (D1012). If the confirmed secret information satisfies the service provision condition, the verification device 6 provides the service to the information use device 1 '(D1013).

  In the present embodiment, after the information utilization apparatus 1 ′ receives the request from the verification apparatus 6, it obtains the confidential secret information certificate and certifies the attribute. However, the confidential information authentication certificate that does not include the verification session identifier is previously restored. The information utilization apparatus 1 may present the secret information authentication certificate when connected to the verification apparatus 6.

  According to the present embodiment as described above, while providing the same effects as those of the first embodiment, the verification device 6 further confirms the validity of the attribute information of the information utilization device 1 ′ The utilization device 1 ′ can enjoy the service while preventing the verification device 6 from tracking.

  Further, since the secret information is concealed with a different random number each time, it is possible to prevent tracking by a subject who can know the secret information.

  Note that each device in each embodiment described above is described as a dedicated device for the sake of simplicity, but in general, a general-purpose device such as a server device, a personal computer, a mobile terminal such as a mobile phone, etc. It is obvious that each functional block is realized by a software program executed by a processor in the general-purpose device and includes such a device.

  Moreover, it is not limited to the said embodiment, In the implementation stage, it can change variously in the range which does not deviate from the summary. Furthermore, the above embodiments include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements. For example, even if some constituent elements are deleted from all the constituent elements shown in the embodiment, the problem described in the column of the problem to be solved by the invention can be solved, and is described in the column of the effect of the invention. When an effect is obtained, a configuration in which this configuration requirement is deleted can be extracted as an invention.

The figure which shows the system with which 1st Embodiment is applied. The flowchart which shows schematic operation | movement of 1st Embodiment. FIG. 3 is a functional block diagram of the distributed information generation device 5. The figure which showed the shared information identifier table of 1st Embodiment The figure which showed the connection destination information table of 1st Embodiment. The figure which showed the connection origin information table of 1st Embodiment. The figure which showed the distribution | distribution information table of 1st Embodiment. The figure which shows the functional block of the information utilization apparatus 1 of 1st Embodiment. The figure which shows the functional block of the distributed information management apparatus 2 of 1st Embodiment. The figure which shows the functional block of the decompression | restoration apparatus 3 of 1st Embodiment. The flowchart which shows the process sequence of the information utilization apparatus 1 of 1st Embodiment. The flowchart which shows the process sequence of the decompression | restoration apparatus 3 of 1st Embodiment. The flowchart which shows the process sequence of the distributed information management apparatus 2 of 1st Embodiment. The figure which showed the secret random number table of 1st Embodiment. The figure which shows the system with which the 2nd Embodiment of this invention is applied. The flowchart which shows schematic operation | movement of 2nd Embodiment. The figure which shows information utilization apparatus 1 'of 2nd Embodiment. The figure which shows the verification apparatus 3 'of 2nd Embodiment. The flowchart which shows the process sequence of information utilization apparatus 1 'of 2nd Embodiment. The flowchart which shows the process sequence of the verification apparatus 6 of 2nd Embodiment. The figure which shows the session storage table of 2nd Embodiment. The figure which showed the secret random number table of 2nd Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1, 1 '... Information utilization apparatus 2, 2' ... Distributed information management apparatus 3, 3 '... Restoration apparatus 4 ... Network 5 ... Distributed information generation apparatus 6 ... Verification apparatus 101, 1001 ... Secret random number table 102 ... Distributed information identifier table 103 ... Connection destination information table 104 ... Information restoration request unit 105 ... Distributed information identifier acquisition unit 106 ... Random number generation unit 107, 205, 303, 608 ... Transmission unit 108, 203, 301, 602 ... Reception unit 109 ... Decoding data generation Unit 110 ... Decoding processing unit 111 ... Service request unit 201 ... Connection source information table 202 ... Distributed information table 204 ... Concealment processing unit 302 ... Relay unit 304 ... Restoration unit 603 ... Request verification unit 604 ... Random number generation unit 605 ... Signature verification unit 606 ... Decoding data generation unit 607 ... Decoding processing unit

Claims (6)

Using the (k, n) threshold secret sharing method, n shared information management devices that store each of the n shared information generated from the secret information to be kept secret, a restoration device, and the secret information are obtained. A distributed information restoration system connected via a network with an information utilization device for
The information utilization device includes:
Generating means for generating n random numbers having the same bit length as the bit length of the shared information;
An acquisition unit for acquiring a shared information identifier for uniquely identifying the shared information stored in the shared information management device;
Storage means for storing each random number and each shared information identifier in association with each other;
Transmitting means for transmitting an information restoration request including the shared information identifier and one of the random numbers to at least k of the shared information management device, respectively.
Each of the distributed information management devices
Upon receiving the information restoration request, shared information acquisition means for acquiring the shared information corresponding to the shared information identifier included in the information recovery request;
Secret sharing information generation means for generating the secret sharing information by concealing the acquired sharing information with the random number included in the information restoration request;
A secret sharing information transmitting unit that transmits the generated secret sharing information to the restoration device;
The restoration device
When the k pieces of the secret sharing information are received, a secret sharing information restoring unit that restores the secret secret information by performing a restoration process of the (k, n) threshold secret sharing method;
A secret secret information transmitting means for transmitting the secret secret information restored to the information utilization device;
The distributed information restoration system, wherein the information utilization device decrypts the transmitted secret information using a random number stored in the storage unit to obtain secret information. Using the (k, n) threshold secret sharing method, obtain n shared information management devices that store each of n shared information generated from secret information that is to be kept secret, a restoration device, and provision of services. For this purpose, there is provided a distributed information restoration system in which an information utilization device that makes a request for obtaining the secret information and a verification device that confirms the secret information to provide the service are connected via a network. ,
The verification apparatus includes verification information generation means for generating verification information,
The information utilization device includes:
Verification information acquisition means for obtaining the verification information from the verification device;
Generating means for generating n random numbers having the same bit length as the bit length of the shared information;
A shared information identifier obtaining unit for obtaining a shared information identifier for uniquely identifying the shared information stored in the shared information management device;
Storage means for storing each random number and each shared information identifier in association with each other;
Transmission means for transmitting an information restoration request including the verification information, the shared information identifier, and one of the random numbers to at least k of the shared information management device, respectively.
Each of the distributed information management devices
Upon receiving the information restoration request, shared information acquisition means for acquiring the shared information corresponding to the shared information identifier included in the information recovery request;
Secret sharing information generation means for generating the secret sharing information by concealing the acquired sharing information with the random number included in the information restoration request;
A secret sharing information transmitting means for transmitting the generated secret sharing information together with the verification information to the restoration device;
The restoration device
When the k pieces of the secret sharing information are received, a secret sharing information restoring unit that restores the secret secret information by performing a restoration process of the (k, n) threshold secret sharing method;
A secret secret information transmission unit that transmits the restored secret information together with the verification information to the information use device,
The information using device transmits the transmitted secret information, the verification information, and the decryption information based on the random number stored in the storage unit to the verification device,
The distributed information restoration system characterized in that the verification device confirms the transmitted verification information, and then decrypts the secret information using the decoding information to obtain secret information. The (k, n) threshold secret sharing method uses the (2, n) threshold secret sharing method,
The secret sharing information generation unit of the shared information management device generates secret sharing information by performing an exclusive OR operation on the sharing information and the secret random number included in the information restoration request,
3. The secret information is obtained by performing an exclusive OR operation on the secret secret information and the random number stored in the information using apparatus when decrypting the secret sharing information. The distributed information restoration system described. When a series of processes in which the secret information is restored as one session, for each session,
4. The distributed information restoration system according to claim 1, wherein the generation unit of the information utilization apparatus newly generates n random numbers each time. Using the (2, n) threshold secret sharing method, connect n shared information management devices that store each of n shared information generated from secret information that is to be kept secret, a restoration device, and a network An information utilization device for obtaining the secret information,
Generating means for generating n random numbers having the same bit length as the bit length of the shared information;
An acquisition unit for acquiring a shared information identifier for uniquely identifying the shared information stored in the shared information management device;
Storage means for storing each random number and each shared information identifier in association with each other;
Transmitting means for respectively transmitting an information restoration request including the shared information identifier and one of the random numbers to at least two of the shared information management devices;
Receiving means for receiving secret secret information restored by the restoration device from at least two pieces of secret sharing information obtained by performing an exclusive OR operation on the shared information stored in the shared information management device and the random number included in the information restoration request; ,
An information utilization apparatus comprising: decryption means for decrypting received confidential secret information using a random number stored in the storage means to obtain secret information. Presenting n shared information management devices for storing each of n shared information generated from secret information to be kept secret, a restoration device, and the secret information using a (2, n) threshold secret sharing method An information utilization device that receives a specific service, and a verification device that is connected via a network, receives the presentation of the secret information, and gives the specific service,
A verification information generating means for receiving a request to receive the specific service from the information utilization device and generating verification information;
Transmitting means for transmitting the generated verification information to the information utilization device;
The restoration apparatus uses at least two pieces of secret shared information obtained by an information restoration request including verification information and exclusive ORed with the shared information stored in the shared information management apparatus and the random number generated by the information use apparatus. Receiving means for receiving the restored secret information, the verification information given in addition to the secret information, and the decoding information based on the random number;
A verification apparatus comprising: secret information acquisition means for obtaining secret information by decoding the secret information using the decryption information after confirming the transmitted verification information.

Images